The website of the National Criminal Registry provides information on criminal records of the criminal registry services of the Prosecutor's Offices of the country and the Independent Criminal Registry Department of the Central Service of the Ministry of Justice, as well as on the ways and procedures required to criminal record.
I imagine you all understand the seriousness of the information contained in the National Criminal Record. So yesterday after our publication about the hack of the Ministry of Development and the finding that the page still uses HTTP protocol instead of secure HTTPS, a reader of iGuRu.gr posted a complaint through our Facebook page.
The reader tells us:
I need a copy of a criminal record that you can now get electronically from the National Criminal Record service (ncris.gov.gr).
In order to register, however, you must provide all sensitive personal data concerning you, as well as username and password. However, they warn you that the connection is not secure and that your data may be intercepted…
The post is accompanied by an image that says it all:
For the real reason we visited the Portal of the National Criminal Record and really the page is not safe for the public.
On the contrary the main website https://www.gov.gr/ διαθέτει πιστοποιητικό SSL, μόνο που είναι free από την Lets Encrypt. Δεν βαριέσαι κάτι είναι και αυτό.
Το συγκεκριμένο πιστοποιητικό της Lets Encrypt ασφαλίζει εκτός από το κεντρικό portal του gov.gr και τα subdomains form.gov.gr, forma.gov.gr, howto.gov.gr (δεν λειτουργεί) το CNAME www, and finally the covid19stats.gov.gr.
The last subdomain, although it is online, does not show results and it will be interesting to see if at some point what the poet means by the header "COVID-19 Patient Registry" works (parentheses close).
But let's go back to the SSL effect which does not exist and if there is it is free from Lets Encrypt. Let's take a look at another country and what certificate it uses:
Usa.gov and all (*) usa.gov subdomains are secure with Sectigo Wildcard SSL Certificates. They cost a little more but are important for governments who consider cybersecurity to be a priority.
I wonder how they talk about e-Government with such crap on the internet.
Can I mention a paranoia?
For the creation of the Greek portals in the domain .gov.gr, a tender and assignment of the project to the bidder may have been announced. Because this is how the Greek state works, with absolute transparency, even in our very personal data….
