Britain and US government websites require mandatory HTTPS encryption, which is worth to draw lessons from2016-07-14
Security regulations published by the Britain government asks all government websites to use HTTPS encrypted link from October 1st 2016. The US government has also published HTTPS-Only standards that required mandatory HTTPS of all government websites before the end of 2016. Why did Britain and the US government publish mandatory HTTPS policy one after another? How important is HTTPS encryption to government websites? What kind of enlightenment does it give to the application of HTTPS to our government websites?
The worrying situation of internet security leads to government of Britain and the US introducing HTTPS encryption policy
The situation of international internet security grows grimmer by the day with active underground black industry becoming mature. Government websites carry all kinds of private data of citizens and have become the primary target of hacker organizations. There have been several major events of government websites data leak being exposed in Britain and the US. The events of four million federal employees’ information leak from American OPM (Office of Personnel Management), 190 million American voters’ information leak and the recent British Department of Defense Forces’ internal data facing threat of being leaked are warning governmental institutions that their data is under unprecedentedly great threat.
Reasons for data leak involve with several different aspects, but the major reason lies on the basic protection problems such as unencrypted data and lack of security protocol. System will collapse at the first blow if there is lack of basic protection, no matter how expensive it is. Therefore, in June 2015, the US government published the HTTPS-Only standards, requiring public service websites of federal government to enable full-site HTTPS encryption link by the end of 2016. In September of the same year, the communications headquarters of British government published guidelines suggesting the use of HTTPS without setting a deadline. However, as the security events become even more frequent, the British government recently published the latest security guidelines to require all government websites to realize HTTPS encryption before October 2016, three months earlier than the US government.
Concrete measures of the HTTPS policy of Britain and US government
>>Principle of the US government enabling HTTPS-Only:
1) All newly-developed websites and services under the federal agency domain or subdomain must abide by the HTTPS-Only standard immediately;
2) Web server involved with personal identity information interaction, essentially sensitive web server or the ones that need high level encryption on communications should deploy HTTPS;
3) Federal agencies should realize the use of security links (HTTPS Only) to access to all existing websites and services;
4) Websites and systems of enterprises are encouraged to use HTTPS.
>> The British government has put forward more detailed requirements of enabling HTTPS links:
1) Use HTTPS encrypted links and set HSTS (HTTP Strict Transmission Security) protection as well
Enabling HSTS (HTTP Strict Transmission Security) protection can ensure browser always use HTTPS to connect website service and reduce the possibility of being attacked. The British government also plans to submit service.gov.uk to the HSTS pre-loading list of browser companies. In other words, all mainstream browsers can only access to government services using HTTPS.
2) Enable DMARC protocol to verify email
The British government also specified that DMARC protocol should be used to conduct email verification. DMARC strategy can ensure citizens won’t receive fake emails from swindlers. If this policy is not implemented on October 1st 2016, your email may be rejected by external email provider.
Current situation of HTTPS application in domestic government websites
At present, the security problems of domestic government websites are even more worrying. As the strategy of “Internet + government affairs” speeds up, most e-government affairs have migrated to the Internet. Online services are convenient and quick, but the security construction is beyond the agenda. Events of government websites being modified, Internet phishing fraud and sensitive data leak emerge in an endless stream. The major event of social insurance data from over 30 provinces being leaked in 2015 has caused public panic, which seriously affected the credibility of government websites.
As the basic security mechanism of website, HTTPS encryption is popularized widely under the mandatory promotion of British and US government. However, in our country, it is still not popularized. WoSign CA has analyzed 68029 government websites and the results show nearly 90% government websites haven’t deployed SSL certificate, 4% deployed insecure self-signed certificates, certificates of 5.6% websites has expired, only 1.7% of them have deployed valid SSL certificates.
How important is HTTPS encryption to government websites’ security?
HTTP is very insecure clear text transmission protocol which doesn’t provide data encryption in any form. Data transmitted through HTTP is in clear text and can be intercepted easily without attack. HTTP cannot verify the real identity of server. Users cannot detect when a request returned by server is modified. The defect of HTTP protocol is a major reason for all the security risks of government websites such as data leak, data modification and phishing fraud.
Using HTTPS encryption can make sure user data is transmitted encrypted. Meanwhile, the real identity of server will be verified to prevent from being modified. When there is information interaction, the security is guaranteed.
Chinese government websites need mandatory HTTPS encryption!
Internet security has become one of the important factors that affect national security and the development of other fields. In order to promote the strategy of “Internet + government affairs”, the construction of government website security is of great urgency. WoSign CA hopes our government can publish mandatory HTTPS policy to require government websites to enable full-site HTTPS and improve security protection upon citizens’ data privacy.
Based on years of experiences of internet security industry, WoSign CA (www.wosign.com) has the following suggestions to promote the security and credibility of government websites.
1) Mandatory HTTPS encryption protects data transmission security
Our government websites should realize HTTPS secure access to protect data transmission of citizen privacy (like personal data of the reporting individual, information of social insurance account, citizen archival information and different online service systems). Important public service platform should also gradually set HSTS protection to make sure users access to government services through HTTPS encrypted links.
2) Enable green address bar, make security visible
To contain fake government website, the plan of Party and government offices setting the unified identifications is not enough. Static icon is still easy to be modified or counterfeited. Government websites should introduce EV SSL certificate based on PKI technology and globally-trusted dynamic seal technology. Users can easily tell the real identity of the website through the striking green address bar and Chinese name of the organization. The EV dynamic certification seal generated in real time cannot be copied or modified.
3) Use domestic SSL certificate
To avoid the risk of foreign monitoring like the Prism event, government websites should not only enable full-site HTTPS but also choose domestic SSL certificate that is self-developed and controllable. SSL certificate of foreign brands should not be used in order to prevent traffic monitoring and data leak.
WoSign CA meets both Chinese standards and international standards
WoSign (www.wosign.com) is the largest self-owned brand certificate authority (CA) of China that has passed the international certification of WebTrust and gained the permit of the Ministry of Industry and Information Technology, meeting both Chinese standards and international standards. In Chinese SSL certificate market, WoSign ranks the top and leads foreign CA eight percentage points, making the first Chinese SSL certificate brand that surpassing foreign ones.
WoSign SSL certificate can be perfectly compatible with all browsers, servers and mobile terminals, realizing controllability of information security as well as good universal property at the same time. At present, WoSign CA is providing SSL certificate products and services for the Ministry of Industry and Information Technology, Taxation Bureau of Hubei Province, Fujian Provincial Government, Shenzhen housing fund management center, Shenzhen social insurance services and China Communication Institute, securing private data transmission in systems of government websites and accelerating the strategic development of “Internet + government affairs”.
Article source: WoSign CA
Please keep the original article address when reprint: http://www.wosign.com/English/News/cn-gov-https.html