Nigerian Police website’s expired certificates expose citizens to major data breach

The issues identified on the Nigeria Police Force website, npf.gov.ng, are far more than a simple technical glitch. They represent a significant security failure with widespread implications. This isn’t just about a website being “down” or “broken”; it’s about a complete breakdown of trust and security, which is particularly alarming for a government portal.

The most glaring and immediate problem is the expired SSL certificate. In today’s digital landscape, an SSL certificate is the bedrock of online security. It’s the digital equivalent of a government ID, a guarantee that you are communicating with the official entity you believe you are.

An expired certificate is a massive gaping hole in the security perimeter. It leaves the door wide open for a variety of cyber threats. When this ID expires, that guarantee vanishes. Browsers and users are rightly warned to stay away, but the real danger is what lies beneath the surface.

First and foremost is the risk of Man-in-the-Middle (MitM) attacks. Without a valid certificate, an attacker can easily intercept the communication between a user and the server, impersonating the website.

They can then steal sensitive data, such as login credentials, personal information, and any other data that users might submit. For a government portal, this could include everything from personal identification details to official applications, creating a goldmine for malicious actors.

This problem is a classic example of cybersecurity negligence. The expiration dates are not hidden and are visible in the certificate details. Allowing a critical security component to expire for months, or even a year and eight months in one case, points to a lack of proper monitoring, maintenance, and a clear chain of command for cybersecurity management.

This is the Nigerian Police Force, which arrests individuals who violate cybersecurity laws. 

Read also: Nigerians react as Bola Tinubu commissions the Nigeria Police National Cybercrime Centre

This isn’t just the Nigerian Police Force’s problem…

This isn’t an isolated incident as it is a symptom of a larger, systemic failure. It suggests that a fundamental principle of cybersecurity, the continuous management of assets, is not being followed.

The implications of this lapse are profound, listed below:

• Data breach risk: Any data submitted to this site while the certificate is expired is not securely encrypted. It travels in plain text, making it incredibly easy for a cybercriminal to intercept. This could lead to a massive data breach, exposing the personal information of countless citizens who might use the portal for various services.
  
  The reputational damage and legal consequences of such a breach would be immense. Not like the Nigerian Police Force knows what reputation is, anyway.
• Phishing and impersonation: The lack of a trusted certificate makes it easier for criminals to create convincing phishing websites. Since the official site already triggers a security warning, users may become desensitised to such alerts.
  
  An attacker could create a look-alike site, and the security warnings would be similar, making it difficult for an average user to distinguish between the fake and the real, untrusted site.
• Erosion of public trust: For a government agency, trust is everything. When citizens see that the official government website cannot even maintain a basic level of security, it erodes their confidence in the government’s ability to protect their data.
  
  This can have long-lasting effects, discouraging citizens from using online government services and forcing them back to less efficient, manual processes.
• A broader systemic problem: The two separate, expired certificates from different issuing authorities (GoDaddy and Sectigo) suggest that there might be multiple, uncoordinated attempts at managing the domain’s security.
  
  This lack of a centralised, cohesive cybersecurity strategy is a recipe for disaster. It indicates a fragmented approach to IT management, where different teams might be managing different parts of the infrastructure without a unified vision or oversight.

Candidly, the state of the Nigeria Police Force website’s SSL configuration is a serious and urgent problem.

The root cause appears to be a profound failure in cybersecurity governance and asset management, which needs to be addressed with the utmost urgency to secure the portal and protect the data of the citizens it serves.