UPDATE: Approximately 3 months after highlighting this issue on social media, over 50% of the affected websites started to use HTTPS.
Recently (May 21, 2018), as part of my research for an upcoming cyber security report on Jamaica, I realised that all 14 websites of the Jamaican government ministries do NOT use HTTPS, plus two(2) entities that are not considered ministries. This discovery was based on the 16 entities listed on the contact page of the official GOJ main website (link at bottom). In at least one instance a normal user is expected to log in to the front end of a site. When you use sites that require you to log in, you should see HTTPS://example.com in the left of the address bar in your browser (without any errors), similar to when you use internet banking websites. For those who don’t know why HTTPS is important on the web, here is why:
- Anyone who is logging into a website, such as the website’s administrators or regular users, are setting themselves up to lose their full access details to anyone who is passively capturing (aka listening to) data traffic on the network because their login details are being sent from their browser to the website’s server without encryption (plain text).
- HTTPS helps to protect the confidentiality a website’s connection. HTTPS encrypts the traffic between your browser and the website to prevent intruders from tampering with the communication without the user or web server knowing.
- HTTPS helps protect the privacy and security of users. HTTPS prevent attackers from passively listening (sniffing traffic) between a user and the website(s) they are using.
- HTTPS helps to verify the identity of the website you are using, and because of that, it helps to prevent a Man in the Middle attack (MITM) from going unnoticed. A simple example of MiTM could be if an attacker inserts themselves into the communication between your browser and a website to intercept sensitive data(extract what they want) and then pass it on to either you or the server as if nothing bad is happening.
- HTTPS is the future of the web. The web is moving with a security-first position, and this is a basic requirement.
This is a concerning issue but because of the lack of HTTPS suggests worst may have been overlooked or ignored. Situations like this make it harder for people to take governments serious in general about how important cyber security is and protecting people’s data. With the push to implement NIDS a National Identification System, seeing practices like his will only fuel more doubt among citizens (which I am).
Whatever the reason for this gap, it can’t be money because SSL certificates (the thing that HTTPS n websites) can be installed for free and in other cases for about J$8,960. (US$70 at an ex. rate of 128)
Other concerns come to mind when I think about situations like this. Such as :
- Are they using a web app firewall to filter malicious traffic?
- Have they hardened their websites and web server configurations?
- Do they have people with security-related experience and qualifications working for them?
- Do they follow through on security issues that are reported whether from public or private sources?
How we can fix this HTTPS issue plus set a good example afterwards
- Lead by example and implement good security controls.
- Buy SSL certificates that will cover each domain and any subdomains
- Disallow weak SSL cyphers
- Reduce the lengthy periods to implement changes and be more open to public support
- Learn more about why HTTPS is good: https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https