Brit borough council apologizes for telling website users to disable HTTPS

Reading Borough Council has securely restored its planning portal after facing criticism for recommending questionable tech security practices to users.

Before the fixed version went live this morning, the English local authority's online planning application portal had been offline due to "technical issues," an outage that had persisted for nearly a month.

Responding to a discussion related to the issue via a now-deleted post on X, the council's official account recommended users disable HTTPS in their browser as a way around the technical issues disrupting access to the planning portal.

Until November 26, the same advice appeared in a yellow banner sprawled across the planning portal's homepage.

The council advised users to access the service using Chrome rather than Safari, since Safari does not allow users to turn off HTTPS, before listing the instructions on how to switch off the security feature.

Chrome has used HTTPS for its default navigation protocol since 2021, offering better load speeds for websites and protections from data interception or manipulation.

HTTPS builds on HTTP by using TLS encryption for requests and responses, meaning any sensitive data submitted to a website is encrypted rather than being sent in plaintext. An intercepted HTTP request, which lacks encryption, could provide cybercriminals with sensitive information like passwords, potentially leading to more severe attacks.

While the likelihood of users submitting sensitive information on a council's website for planning applications is low, if they forget to re-enable HTTPS afterward, they could remain vulnerable to online attacks.

• OpenCart owner turns air blue after researcher discloses serious vuln
• How to give Windows Hello the finger and login as someone on their stolen laptop
• Britain proposes 'super-complaints' to help keep the internet safe
• Bug hunters on your marks: TETRA radio encryption algorithms to enter public domain

More than anything else, Reading council was promoting embarrassingly bad security hygiene.

The council has since apologized for publishing this information, calling it "incorrect."

In the latest update on November 24, the council tweeted posted: "Apologies for the incorrect information that was tweeted."

The council sent a statement to The Register today: "The Council's Planning Portal is back online with a secure connection restored at 10:08 am on 27 November following the successful completion of remedial work.

"A planning portal website update was required as access from some internet browsers was being blocked.

"We apologize for the obvious inconvenience and confusion caused and the portal should now be fully operational with no special action on the part of users being necessary."

The local authority declined to provide an answer on how the original advice to disable HTTPS was approved internally.

The Register approached the National Cyber Security Centre (NCSC) but it did not respond. 

The official advice from GCHQ's cybersecurity arm to website operators is to always use HTTPS, even if the website is basic enough to not include private content, sign-in pages, or other sensitive information like credit card details.

UK public sector organizations, like Reading Borough Council, have access to the NCSC's Web Check service, which can audit a website and identify misconfigurations as well as whether HTTPS is in use or not. ®