Share this content

IRIS OpenSpace security issue

Have I been hacked?

Didn't find your answer?

Search AccountingWEB

I have just tried to log on to IRIS OpenSpace and an error message comes up indicating that the website is not secure. Also, in the address bar (Chrome) the https has been struck through and to the left of that is a red warning tringle with the words Not Secure in red. I've never had this before and I am obviously worried.

Help, anyone?

Many thanks.


Please login or register to join the discussion.

26th May 2019 16:06

It looks like an expired security certificate. Poor from Iris but there is probably no data at risk. The connection is still secure it’s just that they need a new certificate. I suspect it has been overlooked by Iris because of the bank holiday.

Thanks (1)
to Tim Vane
26th May 2019 16:38

Tim is right. Most browsers allow you to look at details of the certificate. Certificates are sequences of binary data that are used to prove that the holder of the certificate is the owner of the website.

With Chrome if you right click on the bit in the address bar just in front of the URL you can get details of the certificate.

You are probably trying this:

The certificate for that site expired at noon today GMT and they will probably be embarrassed by the fact that this is wrong through the bank holiday weekend.

They only renewed it for just over year which is a really short period for a paid certificate. You can also get free certificates which can still give A+ ssllabs security standards.

There is, however, no evidence you have been hacked and it is more just an embarrassing event for Iris rather than anything which requires reporting to the ICO.

Thanks (2)
By SXGuy
26th May 2019 17:07

Expired ssl certificate. Don't believe you've never seen it before though. Hmrc had the same issue few months back.

Thanks (1)
By SteveOH
to SXGuy
26th May 2019 22:02

I don't recall seeing that on the HMRC website. That might have been when I was in hospital; or on a course :)

Thanks (0)
By SteveOH
26th May 2019 21:59

Thanks for all your help guys. Although I am quite competent in using software, I am not that great on the technical side of things. But you've all put my mind at rest. Indeed the OpenSpace website is now displaying correctly.

Many thanks.

Thanks (0)
to SteveOH
27th May 2019 07:48

Indeed if you now test their security status you find they have renewed the certificate for two years:

They are using a Microsoft IIS server version 8.5.

They end up only with an "A" rating for security rather than the top "A+", but I would not say that this is a risk worth worrying about or deciding to use another supplier because they don't have top rated security. Also it isn't that easy to get to the "A+" rating of security.

This, of course, is only transmission security.

Now it might be said that because most of the readers of this forum are accountants why do I need to explain this. I think it is worth people knowing that there are different ways in which transmission security is implemented and there is in fact a website that in a few minutes will test a website for free and give a rating. You can, of course, try other websites or even check your own website to find out how it would be rated.

I don't think it is worth going into the details of what the different ratings are. That information is on the website I linked to if anyone is interested. Nor would I panic if the rating were to be a "B" . It is something to be aware of and aim to improve. It is, however, a mistake to have no transmission security.

If I were an accountant the way I would look at this is that my clients might try to find out the security rating of my own website and it would be nice to have an answer that is higher rather than lower, much that there are questions as to how much to spend to improve the security rating.

It is also a factor I personally would take into account when considering who to purchase services from, if only to give an objective assessment of technical competence rather than necessarily a substantial service difference.

Thanks (1)
28th May 2019 09:09

I have just called Iris to find out what happened and the guy on the phone was not aware of any issues and as the certificate has been renewed he cannot investigate any further. He was also surprised that it had lapsed.

Thanks (0)
30th May 2019 23:01

A lapsed certificate makes the transmission insecure. So it is not a good idea to use a site like that.

Thanks (0)
to elliottchandler
31st May 2019 08:07

I disagree with you. If the certificate is about 2 hours out of date it is really unlikely to be "man in the middle" attack. The transmission itself is secure certificates are there to prevent MITM attacks.

MITM attacks have happened in email where some ISPs (not in the UK) have forced email out of encryption in mail relay servers.

That's a hard thing to track as most mail software doesn't notice (gmail does AFAIK, I have written a mail server that does as well). However, in those circumstances they would not have a certificate at all - which should be a concern - rather than one which is a couple of hours out of date.

Thanks (0)
Share this content