nationwide interception of Facebook & webmail login credentials in Tunisia

Tony Naggs tony.naggs at
Tue Jan 25 15:44:15 GMT 2011

Hi Adrian

On 25 January 2011 14:58, Adrian Midgley <amidgley at> wrote:
> I wonder how much this applies within the NHS network.

I am not clear what you question is, nor do I know how the NHS
networks are operated.

If you are using the NHS network to access the Internet then your
security can in theory be subverted quite easily, e.g.:
1. If you are using a non-secure protocol (e.g. http for web browsing)
the data can be snooped on, or the web pages modified in a similar
manner to that reported.
2. If you are using a secure protocol (e.g. https) the web browser
only checks that the certificate matches the site, and that the
signature is trusted. If PC is issued / maintained by the NHS the
public key of signing certificate controlled by the NHS (or at least
one of their security service providers) can be installed as trusted
when the PC is prepared or updated. Although many people would simply
install the signing certificate the first time they access a NHS
service and are prompted to do so.

For clarity: I don't know that the NHS does any of these things, but
they are not terribly unusual on the networks of large commercial
organisations. They are usually justified as measures to assist
investigation of suspected leaking of company confidential
information. (Product designs, price lists, tender documents, etc...)

If your PC does not belong to the NHS and your Internet access does
not go through the NHS network then you are safe from these issues.


More information about the ukcrypto mailing list