British Gas Invalid Certificate Warnings.

British Gas Invalid Certificate Warnings

Like thousands or even millions of other British Gas users, I received my usual monthly email asking me to submit my meter reading . Nothing unusual in that, until I followed the link ( as usual ) and got an invalid certificate warning. I do this every month and have never had a problem before. So somebody on the British Gas web development team has been fiddling with settings and broken something and drastically reduced security as a result.

The email looks like

bg meter reading email

The link in the email goes to a genuine British gas log in page which redirects to

Yes I know we always say “Don’t follow links in emails, go direct to the page & login manually” but in some cases we all do things the easy way and don’t follow best practice. However any link, stored shortcut or manual entry of will give the same certificate errors

where you see this certificate warning page

bg IE cert error

If you select the continue to this website, you go to where you get this certificate error message in Internet Explorer

britishgas invalid cert

And this in Firefox

And this in Firefox

It looks like British Gas have misconfigured their website in several ways. Firstly they only have an SSL certificate on the WWW version, which is a big mistake. They are relying on some sort of redirection to automatically redirect anybody using to But somewhere along the way, the redirect is broken

I am guessing it is a broken .htaccess redirect. If I type or just I do get automatically redirected to BUT if I type or use a bookmark of I get the first certificate error page shown above and the whole sorry saga continues.

To add insult to injury doing a check of British Gas on which is the default standard checks for SSL errors you get a not trusted warning and a generally poor B rating if you ignore the non trusted.

bg ssl test

When you check the WWW version against you get a generally poor B rating which for a major company that accepts payments and critical client inofrmation on their site using an EV certificate is pretty dreadful

BG www ssl test