British government's proposal to enable HTTPS encryption full-site on public services website2015-09-07
The information security agency of the UK Government Communications Headquarters, Communication Electronic Security Group (CESG), issued deployment guide of external services website TLS, which suggested related English public service websites' servers to deploy SSL certificate, build TLS encrypted connection and secure data transmission.
Compared with the HTTPS-Only standard issued by American Government in June, this guide attaches more importance to technical level. Although there are no mandatory measures on deploying HTTPS or timetables like America, the move of CESG also embodies the expectations of the UK government on protecting users' privacy and securing the information of government websites. This guide advises website of public service department to apply HTTPS encrypted connection and HTTPS service only on the external service website based on the security configuration suggestions given by Qualys, Google and Mozilla. It also suggests website to get SSL certificate from reliable CA, use extended EV certificate to enhance users' confidence and deploy TLS connection for email server. Meanwhile, the guide provides information of how to get a certificate from a CA and how to deploy test.
Previously, the government's public service systems only run within the LAN. With the acceleration of the process of governmental proceedings' informationization, the services gradually become online services. Social security insurance system, household registration system, disease control and prevention center, hospitals and other external service websites contain large amount of personal sensitive information like personal ID, insurance information, finance, salary and household, which have close connections with citizens' privacy. However, appropriate security measures have not kept pace. At present, websites of China's government which enabled HTTPS service only account for a very small number. As the most basic security measure, the deployment rate of HTTPS encryption in our government websites is less than 10%. In April this year, millions of users' social security insurance information from 30 provinces was leaked. This is a tip of the iceberg which shows the potential risks of government websites. It is necessary for our government to follow the example of Europe and America, introducing relevant policies to require external services websites to enhance the security by enabling HTTPS encryption services and thereby protect the citizens' private data and confidential information of websites.
In order to prevent encrypted traffic from being monitored and important national date concerned with people's livelihood leaked, government website should not only enable HTTPS full-site but also choose independent, controllable domestic SSL certificate. We recommend these websites to deploy the highest security level EV SSL certificate which displays the name of the organization in the green address bar. Permitted by the Ministry of Industry and Information Technology, WoSign CA is the only legal CA that can completely replace foreign SSL certificate. WoSign SSL certificate can be perfectly compatible with all browsers, servers and mobile terminals issued after 1999. Its performance can completely replace the SSL certificate products abroad. At present, WoSign provides HTTPS encryption and SSL verification services for the Ministry of Industry and Information Technology, Beijing Seismological Bureau, State Administration of Taxation of Hubei Province, Shenzhen Social Insurance Administration, Shenzhen Housing Fund Management Center, Shenzhen Road Traffic Management Center, Fujian economic information center and other governmental external services websites. We hope that more and more government websites can join the ranks of HTTPS encryption full-site.