Maltese Gov uses self signed SSL, still acceptable in 2017?
The Maltese registry of companies appears to have been using a self signed certificate for their online portal since 2014. In the UK we have an equivalent body called companies house.
Why is a self signed SSL certificate bad?
An SSL certificate is a means of ensuring that the website you are connecting to is the correct website and not something an imposter has setup. If someone presented a fake passport, they would not be allowed through an airport. SSL certificates are similar, they are validated by a third party so you know when you visit the site, it is somewhere you can trust.
Without a valid SSL certificate, it is possible to setup a “Man in the middle” style attack where someone can present a fake website and collect your login details, thereby giving them access to the original website.
A client in Malta discovered this and being contacted them directly, the advice the client received was “That is ok, just hit continue and ignore the warning”
This is bad on so many levels, Here is a brief on what the registra handles taken from their site:
The Registry of Companies forms part of the Malta Financial Services Authority. The core responsibilities of the Registrar of Companies arise out of the Companies Act, 1995. These are:
Registration of new commercial partnerships, Registration of documents related to commercial partnerships, Keeping the company and partnership register, Collection of registration and other fees, Publication of notices, Issue of certified documentation, Issue of good-standing and other certificates, Reservation of company names, Imposition and collection of penalties, Investigation of companies
It is a trivial cost to purchase and install a genuine SSL certificate. The alternative is to leave your users or customers exposed to a very real security risk which is actively used by attackers.
There are flaws in the certificate system and there are still ways of getting around it. But to not even attempt a modest form of security is just not right.