UPDATE: Approximately 3 months after highlighting this issue on social media, over 50% of the affected websites started to use HTTPS.
Recently (May 21, 2018), as part of my research for an upcoming realistic cyber security report on Jamaica, I realised that all 14 websites of the Jamaican government ministries do NOT use HTTPS, plus two(2) entities that are not considered ministries. This discovery was based on the 16 entities listed on the contact page of the official GOJ main website (link at bottom). In at least one instance a normal user is expected to log in to the front end of the site (http://data.gov.jm/user/login). When you use sites that require you to log in, you should see HTTPS://example.com in the top left of the address bar in your browser without any errors, like when you use internet banking. For those who don’t know why they should be using HTTPS on all their website instead of the HTTP, here is why:
- Anyone who is logging into a website, such as the website’s administrators or regular users, are setting themselves up to lose their full access details to anyone who is passively capturing (aka listening to) data traffic on the network because their login details are being sent from their browser to the website’s server without encryption (plain text).
- HTTPS helps to protect the confidentiality of a website. HTTPS encrypts the traffic between your browser and the website to prevent intruders from tampering with the communication.
- HTTPS helps protect the privacy and security of users. HTTPS prevent attackers from passively listening (sniffing traffic) between a user and the website(s) they are using.
- HTTPS helps to verify the identity of the website you are using, and because of that, it helps to prevent a Man in the Middle attack (MITM) from going unnoticed. A simple example of MiTM could be if an attacker inserts themselves into the communication between your browser and a website to intercept sensitive data(extract what they want) and then pass it on to either you or the server as if nothing bad is happening.
- HTTPS is the future of the web. The web is moving with a security-first position, and this is a basic requirement.
This is a very big issue but not because of the lack of HTTPS, but the fact that if you have not implemented HTTPS on all 14 primary websites then just imagine the other security controls that were either ignored or overlooked. This is increasingly worst because it makes it harder for people to take the government serious about how important cyber security is and protecting people’s data. With the push to implement NIDS a National Identification System, seeing practices like his will only fuel more doubt among citizens (which I am).
I would suggest that citizens don’t log into any of these websites (where relevant) before this issue is fixed because you are setting yourself up to easily lose your login details to an attacker and if anyone says you have nothing to worry about, just overlook this issue, don’t believe it, even if you’re an administrator for one of those sites.
Whatever the reason for this gap, it cant be money because SSL certificates (for HTTPS) can be installed for free and in other cases for about J$8,960. (US$70 at an ex. rate of 128)
Many other concerns come to mind when I think about this finding such as:
- Is the government even using a web app firewall to filter malicious traffic?
- Have they hardened their websites and web server configurations?
- Do they have people with security-related experience and qualifications working for them?
- Do they follow through on security issues that are reported whether from public or private sources?
How we can fix this HTTPS issue plus set a good example afterwards:
- Lead by example and implement good security controls.
- Buy SSL certificates that will cover each domain and any subdomains
- Disallow weak SSL cyphers
- Reduce the lengthy periods to implement changes and be more open to public support
- Contact page with the link to all 14 Ministry websites + the other two(2) entities: https://www.gov.jm/contact-us
- Learn more about why HTTPS is good: https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https