[opendais]

Yes this is terrible...but it isn't the "UK Government" its a private corporation as per: https://www.getsafeonline.org/about-us/

It also does work over https: https://www.getsafeonline.org/themes/passwrdcheck/index.html

So I'm pretty sure this is just the fact they failed to setup the redirect. Rather than mocking them on Hacker News, we should just tell them they broke that part of their setup at some point and should fix it?

EDIT:

Tried to contact them, got a "The form you submitted contained the following errors

Missing Data.(DIFFERENT_IP)"

error which has nothing to do with the form I submitted. XD

Could someone contact them by their contact us page to get this fixed?

[ZoFreX]

> Get Safe Online is a jointly funded initiative between several Government departments and private sector businesses. In fact, we are the Government’s preferred online security advice channel.

There are adverts everywhere about it with obvious government endorsement.

It's not just that they send it over HTTP. It shouldn't send it anywhere, it should all be done client-side with JavaScript. It's more than "you made a little mistake" it's "who are you to tell people what is, or isn't, secure when you can't even manage the basics?"

[opendais]

I'm not from the UK and I never believe anything a company puts on its about us page. ;)

If they are doing statistical analysis on password, they'd have to send that information somewhere so I'm not surprised that they are.

Anyone who is concerned about security shouldn't be giving their password to a 3rd party to verify [even via a javascript webpage] for any reason.

Also: "(Never enter your real password into a password checker, as unlike this one, some may be fake)" From the page.

[daveslash]

I give this site to people so they can check the strength of their twitter password. I think it get's the point across. http://www.ismytwitterpasswordsecure.com

[Tyrannosaurs]

> Also: "(Never enter your real password into a password checker, as unlike this one, some may be fake)" From the page.

That's genius because scammers would never say something like that because that would be lying and people don't lie because it's naughty.

[opendais]

I read that and concluded they meant "Do not use a real password on this site"

[crashandburn4]

> Anyone who is concerned about security shouldn't be giving their password to a 3rd party to verify [even via a javascript webpage] for any reason.

I'd agree but I don't think anyone who reads hacker news is likely to use a password checker anyway. We all, however, know less technical people who could and would get compromised by something like this and to have it endorsed by the government sends the message that it is safe. That's the problem as far as I'm concerned.

[santosha]

It is done client side with javascript, in the results.js on the results page. If they'd put it on the original page, it would all have been client side. The only reason I can think of for doing it this way is statistics collection for later.

[madaxe_again]

It IS "UK Government" - it's a QUANGO, so they can keep it at arms length and wash their hands of it, but be under no illusions, this is a government led initiative for which they ultimately, if not in practice, bear responsibility.

The cynic in me says that this is a deliberate effort to grab as many passwords as possible. It sounds outlandish, but what actions of our rogue agencies haven't been?

[gtirloni]

That would be a waste of resources given the chances of a real criminal testing his/her password strength on a government-operated website are very remote. Even then, they would have to invest in marketing to get people to actually use it when, we all know now, the GHCQ/NSA can simply collect everything at critical infrastructure points.

This looks like a good idea, poorly executed.

[madaxe_again]

You think they're after "real criminals"? Tell me, what is this "real criminal" of what you speak? Is it someone who disagrees with the edicts of the state? Is it someone who has the wrong skin colour?

Occam's razor says you're right, but while they're busy accusing us all of criminal acts, we may as well do the same.

[tyho]

I just called who I think is the head of the site, a little ironic that the head of a site that is funded by the government to educate how to secure ones privacy online publishes his mobile number in the WHOIS data for said site, he asked me to email him with my concerns, which I have now done.

[knotty66]

Even over HTTPS it wouldn't be secure. The password is in the URL so would be stored in the users browser history, and possibly also web-server logs and sent as referrer headers with assets on the secured page.

[neura]

If you do visit the https version of the page, some of the links back to page still have a hard coded http:// instead of https://

[cs02rm0]

True, ish, they are very much involved.

https://www.cyberstreetwise.com is the website UK government used to get people to send them their passwords.

[coriny]

So this may be a coincidence, but I just followed that link and got a warning from malwarebytes about a malicious website trying to connect to my computer.

I've tried a couple more times and not got it again. Anyone else see anything?

EDIT: The IP address reported by MalwareBytes is blocked, but I still don't know if it was just coincidence that the warning popped up a second or two after clicking that link. If anyone else experiences anything similar let me know.

Still it seems to me that this would be an awesome site to use as a watering hole for ensnaring naive web users, i.e. the kind who won't even notice when they are massively infected.

[gtirloni]

Just sent an email to their WHOIS contacts.

[Torn]

They're on twitter too @GetSafeOnline

[Alupis]

This is the same government that thought they could "block all porn" on the internet?