Like thousands or even millions of other British Gas users, I received my usual monthly email asking me to submit my meter reading . Nothing unusual in that, until I followed the link ( as usual ) and got an invalid certificate warning. I do this every month and have never had a problem before. So somebody on the British Gas web development team has been fiddling with settings and broken something and drastically reduced security as a result.
The email looks like
The link in the email goes to a genuine British gas log in page https://www.britishgas.co.uk/Login/BookMarked/BookLink/10?email=+Y8D4Q9PT/P5Y9uIivbe13MCcZI5SlqyA96YLeDC4XA=&cid=oemESgmr which redirects to https://britishgas.co.uk/my-account/?cid=oemESgmr
Yes I know we always say “Don’t follow links in emails, go direct to the page & login manually” but in some cases we all do things the easy way and don’t follow best practice. However any link, stored shortcut or manual entry of https://britishgas.co.uk will give the same certificate errors
where you see this certificate warning page
If you select the continue to this website, you go to https://britishgas.co.uk/identity/ where you get this certificate error message in Internet Explorer
And this in Firefox
It looks like British Gas have misconfigured their website in several ways. Firstly they only have an SSL certificate on the WWW version, which is a big mistake. They are relying on some sort of redirection to automatically redirect anybody using https://britishgas.co.uk to https://www.britishgas.co.uk. But somewhere along the way, the redirect is broken
I am guessing it is a broken .htaccess redirect. If I type http://britishgas.co.uk or just britishgas.co.uk I do get automatically redirected to https://www.britishgas.co.uk BUT if I type or use a bookmark of https://britishgas.co.uk I get the first certificate error page shown above and the whole sorry saga continues.
To add insult to injury doing a check of British Gas on https://www.ssllabs.com/ssltest/analyze.html?d=britishgas.co.uk which is the default standard checks for SSL errors you get a not trusted warning and a generally poor B rating if you ignore the non trusted.
When you check the WWW version against https://www.ssllabs.com/ssltest/analyze.html?d=www.britishgas.co.uk you get a generally poor B rating which for a major company that accepts payments and critical client inofrmation on their site using an EV certificate is pretty dreadful