Over the years, Spy Blog has, unfortunately, had to criticise the MI5 Security Service website for an unprofessional lack of security, seemingly every time the web site design has been revamped by c.f.

http://spyblog.org.uk/ssl/spyblog/mi5-email-subscriptions/

Here we go again:

To quote MI5 's own "Cyber" section of their website:

https://www.mi5.gov.uk/cyber

Hostile actors A wide range of hostile actorshttps://www.google.com/recaptcha/intro/index.html use cyber to target the UK. They include foreign states, criminals, "hacktivist" groups and terrorists. The resources and capabilities of such actors vary. Foreign states are generally equipped to conduct the most damaging cyber espionage and computer network attacks. Hostile actors conducting cyber espionage can target the government, military, business and individuals.



There are 4 sections of the MI5 Security Service website:

Corporate brochure, history, "what we do" , "what we don't do", some news e.g. recent terrorism case convictions, speeches by the Director General etc.. The infamous Terrorism Threat Level, which has mutated over the years into seperate categories for mainland UK, Northern Ireland and "international" i.e. muslim extremist terrorism.

N.B. there is no clear indication of what exactly the public is meant to do at each Threat Level. Should we "Be pure! Be vigilant! Behave!"

or Keep Calm and Carry On" ? Job vacancy and Careers information for people thinking about joining Mi5 Security Service. A confidential National Security tip off web form



Whilst the first two sections are important for the public image and reputation of MI5, the last two (Careers and Tip Off form) are of intense interest to our enemies.

Even the https:// only website does use a Digital Certificate with good Transport Layer Security configuration,

N.B. In common with GCHQ and MI6 there is no DNS entry for https://MI5.gov.uk i.e. without the "www."

This tends to confuse the dimmer "hackivists" who frequently claim that their "script kiddy" Denial of Service attacks have somehow magically succeeded in a "tango down" of a non-existent website URL.

Accessing the MI5 Security Service website may be illegal or dangerous if you are in e.g. the Middle East or Russia or China etc.

so, for obvious reasons, they claim to keep your communications with them confidential.

You may decide to use the increasingly popular Tor Browser to hide your originating IP address.

Why then does the MI5 website betray your web browser meta data to one and possibly two foreign companies based in the USA i.e. CloudFlare and Google reCaptcha ?

CloudFlare, whilst providing useful TLS and anti Denial of Service attack services, is under heavy criticism for forcing Tor users to fill in stupid Google reCapture puzzles #dontblocktorto proceed to a "protected" website.

This is a minor inconvenience for most people, but it is completely inappropriate for an intelligence agency website with sensitive recruitment and national security tip off form features.

https://p10.secure.hostingprod.com/@spyblog.org.uk/ssl/spyblog/images/MI5_reCaptcha/MI5_home_page_Captcha.jpg







Regardless of whether a visitor is using Tor or not, if they want to to contact MI5 with a national security related tip off, the Google reCaptcha is embedded in the the "secure" contact form!

https://www.mi5.gov.uk/contact-us

https://www.mi5.gov.uk/contact-us

i.e. there are image links which do not go to the local MI5 web server, or any web servers in the United Kingdom, but which are pulled from Google in California, USA

e.g. the Google reCaptcha refresh image (and all the street sign or river etc. reCapture image tiles)

https://www.gstatic.com/recaptcha/api2/refresh.png

This creates a web log entry or "Internet Connection Record" in the new Investigatory Powers Bill doublespeak, in a foreign country, regardless of whether you fill in the form or not.

If you are using e.g. Firefox without Tor and your IP address does not trigger Cloudflare, then you may be able to get to the non-Javascript MI5 web contact form

https://www.mi5.gov.uk/modal_forms/nojs/webform/363

but most people will have been tricked into handing over their meta data to these US companies and therefore to the US government (on demand), instead of just

sharing it with MI5 the Security Service in the United Kingdom