Adoption of HTTPS protocol on government service websites
Konark Modi Apr 19, 2017
Last week, Freedom of the Press Foundation announced the project “secure the news” which tracks the adoption of HTTPS on news websites.
Inspired by it, we decided to do an analysis on Government of India digital services and track the adoption of HTTPS across them.
Digital India is a campaign launched by the Government of India to ensure that Government services are made available to citizens electronically by improving online infrastructure and by increasing Internet connectivity or by making the country digitally empowered in the field of technology.
Launched on 1 July 2015 by Prime Minister Narendra Modi, the initiative spans across three core components:
The creation of digital infrastructure
Delivery of services digitally
The Digital India programme has, as of date, a total 1995 services listed on their website, categorised as below:
While some of the services are more information centric with respect to policy updates, etc, there are a few websites that deal with user information on everyday basis, ex: Air India, passport services, Income and Taxation services, Citizenship and Visas, Online hospital appointments etc.
From the list of services, we analysed 874 valid domains for adoption of HTTPS protocol. Our findings are:
a. 31% have a valid HTTPS
b. Only 7.4% default to HTTPS
c. Less then 1.5% have HSTS enabled
d. Merely 2 sites are on the HSTS preloaded list
What does this mean?
While this is a great first step for the government towards bringing in transparency and accountability by going digital, the next steps ought to be towards privacy & security of user information and data protection. Actively adopting security measures will definitely result in lesser vulnerability of data thefts/ hacks or other cyber threats that present itself in friendly or unfriendly environment. The primary, and also the simplest, step towards data protection and privacy is adopting HTTPS protocol.
Prologue on HTTPS or why is it important ?
HTTPS connection is easily recognised by the most novice of Internet users for the lock icon it displays in your web browser’s address bar (the “S” in HTTPS means “secure”).
It signifies that the connection between you and the website you are reading is encrypted, so someone spying on your internet connection — whether a criminal trying to eavesdrop on you through public WiFi or a government that has access to raw Internet traffic — cannot see the information that you are transmitting.
A regular HTTP connection means that such attackers can potentially see the search terms or articles you are reading, spy on your username and password, or spoof a website to steal your personal information. Unencrypted HTTP traffic is also easier to filter and block, allowing for selective censorship of articles, subjects, specific reporters or outlets by authoritarian governments.
- Protects user’s sensitive information.
- Protects integrity of your website.
- It is the future of the web.
- 10 good reasons to switch to HTTPS
Rise of HSTS
HSTS(HTTP Strict Transport Security), is a relatively new standard that aims to bolster the strength of HTTPS connections.
When a web server implements and enables HSTS, all browsers that connect to it will be forced to do so strictly via HTTPS. That means, there won’t be that exploitable vulnerability wherein a browser would initially connect via HTTP before it gets redirected to HTTPS — except for that very first instance that the browser makes contact with the web server.
Major benefits of having a site on HSTS are the following:
..* Defence against sslstrip-like attacks. The initial navigation to somewebsite.com is automatically upgraded to HTTPS
..* Zero tolerance for certification problems. The user is not permitted to “click through” anything such as a self-signed cert.
If you have a site wide implementation of SSL, as an additional layer of security, the website owners could also apply for HSTS Preloading. A detailed explanation on why HSTS preloading matters specially for sites dealing with sensitive user data can be found here.
Resources and tips for deploying HTTPS by default
List of recommended resources to help you understand HTTPS and how to go about deploying it:
- Federal government adoption of HTTPS
- EFF — How to deploy HTTPS correctly
- Mozilla — Security/Guidelines/Web Security
- Ivan Ristic’s Bulletproof SSL and TLS
- Google Developer’s Blog — Enabling HTTPS on Your Servers
- Let’s Encrypt
Next steps and To-do’s
- This blog post is certainly the first step.
- We are currently working on making it a formal project, with automation to verify the adoption of HTTPS.
- Make all the codebase + data open and put it on Github.
- Create a more comprehensive list, based on services that the websites offer.
- Expand to other countries government services as well.
- Contribute rulesets to HTTPS Everywhere extension.