Following TMI story: MaltaPost updates its website’s security, gets an A for its efforts

John Cordina Friday, 15 May 2015, 08:19 Last update: about 10 years ago

MaltaPost has successfully upgraded the security of its website after a report published in the last edition of The Malta Independent on Sunday highlighted a number of security weaknesses, turning its website into one of Malta’s most secure in the process.

For that article, The Malta Independent tested a number of secure local websites – which handle financial transactions and other sensitive communication – using a reputable online test supplied by US-based Qualys, one of the leading companies in the field of network security.

MaltaPost’s website was one of three that received an F grade – the other two, surprisingly, were the government’s gov.mt website and the eGovernment portal mygov.mt, which were both flagged as being vulnerable to what are known as man-in-the-middle attacks.

In MaltaPost’s case, the test flagged a number of concerns, including the use of older, deprecated security protocols that are now deemed obsolete and insecure. These include the SSL 2 protocol, which was defined in 1995 and superseded by SSL 3 a year later. Conversely, the site did not support the latest protocol, TLS 1.2.

But the postal operator acted swiftly following the publication of our article, with a spokesman informing The Malta Independent that it has performed a risk assessment on its customer website policies. “MaltaPost is pleased to advise the public that its website now sports an A rating by Qualys’ SSL Labs,” the spokesman added, an assertion that The Malta Independent has independently confirmed. “Through ongoing assessment, MaltaPost continuously strives to ensure a high degree of privacy and security to all customers visiting its website.”

The revamped site now has an A grade and an average score of 93.75 out of 100 across the four categories assessed by Qualys, making it one of Malta’s most secure websites. A closer look at the test results show that among other things, the website no longer supports the outdated SSL 2 and SSL 3 protocols, whilst support for TLS 1.2 has been added.

As it happens, security issues relating to the use of older protocols only affect those who use older computer systems and web browsers: Newer browsers automatically disable them. But ultimately, moving away from protocols whose weaknesses are well known to hackers is still a positive move, even if only a minority of users would be at risk.

So The Malta Independent can only welcome MaltaPost’s swift response to the concerns flagged in our article. We can only hope the government follows suit soon enough: Its own F grade persists.