A new Comparitech study finds a staggering number of politicians still use HTTP
At this point, in 2019, there’s really no reason not to be using encryption on your website. HTTPS is practically mandatory, with most major browsers actively marking HTTP websites as “Not Secure.”
Apparently that hasn’t really moved the needle in the political sector as many had hoped. A new Comparitech study took a look at websites for politicians around the world and found that 60.75%, or a little more than three in every five, are not securing their connections.
So, let’s dive into the study a little bit and talk about why this is a problem.
Let’s hash it out.
Why HTTPS is important
If you read Hashed Out regularly, you can probably skip this section. But for the sake of being comprehensive, I’m going to cover this anyway.
The internet has more or less been built on the hypertext transfer protocol (HTTP) for the last twenty years. When HTTP was first conceived of, the fact that data was exchanged in plaintext really wasn’t an issue. The internet was much different then. People weren’t transacting on it, commercial activity was banned. It was primarily a network for government entities and academia to share information.
Obviously, the internet looks much different today. Not only has it become a hub for business of all kinds, the world has become more technically sophisticated. Whereas, in the early days of the internet, people that knew their way around a network were few and far between. And generally perceived of as nerds. Today, any kid with a free afternoon and YouTube can learn how to start hacking.
Those two things, the commercial growth of the internet and growing threats to network safety, made HTTP and the plaintext it transmits a vulnerability. It’s actually fairly easy to hack an unsecured device (honestly, have you ever changed the password on your router?) and eavesdrop on other people’s connections.
If that connection is made with HTTP, all of that data being exchanged is easily readable. Obviously, that wasn’t going to work so a solution was conceived of, using public key cryptography, the SSL/TLS protocols were created to facilitate a secure version of HTTP, called HTTPS. When a website is being served via HTTPS, it encrypts the data before transmitting it. This makes eavesdropping on the connection pointless as the only party that can read it is the one at the other end of the connection.
Originally, the conventional wisdom was that only parties transacting in sensitive data needed to use HTTPS. So, if you were running a blog or a brochure site it wasn’t necessarily a priority. That all changed in 2017 when Google and the other browser vendors pushed a joint initiative to mandate HTTPS across the entire web. By last Summer, that mandate had come into full effect and browsers began actively penalizing HTTP websites.
HTTPS is especially important in Politics
Keep in mind, just because a website uses HTTPS doesn’t necessarily mean it’s completely secure. There are plenty of other things you still have to worry about from a security standpoint. However, if a website DOESN’T use HTTPS it’s definitely unsecure.
And that’s the problem with politicians that serve their websites via HTTP. At best, for a politician to have an unsecured website is a bad look. At worst it’s downright negligent. If there’s any sector that should be securing communication, it’s government, of which politicians are a big part.
And with the concerted efforts by some countries to interfere in Western elections. One of the less advertised benefits of SSL/TLS and HTTPS connections is that they prevent third-party content injection. When an attacker is able to inject content they can make a website look or feel completely different from what’s intended. It wouldn’t be outside the realm of possibility for an attacker to inject offensive material or to misrepresent a candidate’s position, which hurts that candidate and affects the outcome of elections.
Something similar happened recently to the mayor of Tampa, who was hacked and and impersonated by an attacker that threatened Tampa International Airport among other high-profile targets. It happened just weeks before the Mayoral election. It caused major issues.
Granted, that was Twitter. But having content injected into a politician’s website could still create a very similar effect.
Now that we’ve got that covered, let’s look at the study.
More than a quarter of US politicians have unsecured websites
Before we get into the figures, let’s talk about methodology for a moment. For starters, this looks at national politicians. This doesn’t get down into state officials or local officials, which would likely skew the numbers even further towards HTTP. The US has 541 politicians just in its congress. Someone is going to correct me and say that it’s only 535 – that’s wrong. There are 535 VOTING members and six non-voting representatives. Anyway, my point is that getting into the various state legislatures and looking at local officials would’ve been a bit of a slog so this study only looks at politicians serving at a national level.
With that said, it’s not a good sign that a quarter of the individuals that are charged with US cybersecurity couldn’t even be bothered to secure their websites.
As you can see, neither of the major parties in the US has an edge in terms of securing their connections. The Independents are batting a thousand, but there are three of them total so that’s negligible.
Granted, these are mostly campaign websites, the US government provides websites for official business and those are secure. As they should be. In the past we’ve even advocated for adding the .gov to the HSTS list at the TLD level like Google did with .app and a few others. Still, this is not a good look. Here’s a list of US politicians rocking unsecured websites:
|Senator Lamar Alexander||Republican|
|Senator John Boozman||Republican|
|Senator Catherine Cortez Masto||Democrat|
|Senator Mike Crapo||Republican|
|Senator Michael B. Enzi||Republican|
|Senator Margaret Wood Hassan||Democrat|
|Senator John Kennedy||Republican|
|Senator James Lankford||Republican|
|Senator Mitch McConnell||Republican|
|Senator Pat Roberts||Republican|
|Senator Richard C. Shelby||Republican|
|Senator John Thune||Republican|
|Senator Thom Tillis||Republican|
|Senator Mark R. Warner||Democrat|
|Senator Roger F. Wicker||Republican|
|Terri A. Sewell||Democrat|
|Paul A. Gosar||Republican|
|Doris O. Matsui||Democrat|
|Anna G. Eshoo||Democrat|
|J. Luis Correa||Democrat|
|John B. Larson||Democrat|
|Rosa L. DeLauro||Democrat|
|Gus M. Bilirakis||Republican|
|Alcee L. Hastings||Democrat|
|Jesus Chuy Garcia||Democrat|
|Stephen F. Lynch||Democrat|
|Collin C. Peterson||Democrat|
|Bennie G. Thompson||Democrat|
|Jr. William “Lacy” Clay||Democrat|
|Ben R. Lujan||Democrat|
|Gregory W. Meeks||Democrat|
|Sean Patrick Maloney||Democrat|
|Walter B. Jones||Republican|
|Marcia L. Fudge||Democrat|
|Glenn W. Thompson||Republican|
|Sheila Lee Jackson||Democrat|
|Robert C. Scott||Democrat|
|Cathy McMorris Rodgers||Republican|
|Sean P. Duffy||Republican|
|John Bel Edwards||Democrat|
|Michelle Lujan Grisham||Democrat|
I was tempted to provide the links but our SEO threatened to push me off the roof so if you want to see for yourself you’re going to have to resort to Google.
What’s going on in Canada?!
Did we forget to tell Canada about SSL? A little more than 86% of Canadian politicians have unsecure websites. That’s fourth worst in the entire study. Not something our neighbors to the North are going to be proud of. This is the digital equivalent of the urban myth that Canadians don’t lock their doors.
Of the 320 websites surveyed, a whopping 276 were unsecured, with the most secure party being the conservatives, who still have more than two out of three sites using HTTP.
This is made more alarming by the fact that Canada is holding an election in October of this year, so these campaign sites are likely seeing an uptick in traffic that isn’t connecting securely. Not good.
Et tu, South Korea?
By and far South Korea, has the most unsecured websites. 92% of all its politicians’ sites are using unsecure HTTP. While its number of politicians that even have websites is substantially smaller than some of the other countries that were surveyed, South Korea finds itself in a very unique situation:
The Korean War never ended. It’s been going on for 69 years, since 1950. There was an armistice that halted most of the hostilities, but the war never ended and South Korea’s neighbor to the North has a fairly sophisticated cyber warfare apparatus that is known to be quite active. Given the nature of the relationship, it’s safe to say that a good portion of North Korea’s cyber campaigns are conducted against South Korea and its western allies – whom the DPRK view as adversaries.
That would seem to make it even more of a priority to secure everything – every website, every server. Because the DPRK is actively probing. Apparently, that’s not a priority though.
There’s also a substantial number of South Korean politicians with no website at all. Kind of surprising in 2019, though that is one approach to security. Just stay off the internet.
Indian Politicians overwhelmingly don’t have websites
Another one of the interesting takeaways from this study is the staggering number of Indian politicians that don’t have any website at all. Of the 887 Indian politicians surveyed, 670 had no website at all. And the politicians that do have websites, aren’t securing them with SSL/TLS certificates.
Just 16.13% of Indian politicians that have a website are serving it via HTTPS. Nearly 84% are not.
A quick glance at the rest of the world
Let’s finish up by looking at the rest of the world, starting with the world’s most secure politicians followed by the world’s least secure. And remember, as we said, just because a site is using HTTPS doesn’t necessarily mean it’s safe. There are other attack vectors. But not using SSL/TLS and HTTPS at this point in 2019 is inexcusable.
Here’s the top 5 countries in terms of secured politicians’ websites.
|Country||Percentage of Unsecured Sites|
That’s about what you would expect. The US, UK and Australia are all part of the Five Eyes intelligence sharing service and have made substantial investments into securing their digital infrastructures. Obviously, politicians’ websites aren’t necessarily under that umbrella, but you would think politicians’ familiarity with those issues in their own country would help facilitate better security with their campaigns.
But then, Canada, which is also a Five Eyes member, kind of pokes a hole in that theory, with more than four out of every five of their politicians’ websites left unsecured.
|Country||Percentage of Unsecured Sites|
Finally, here’s a breakdown of the countries surveyed, there’s a table below or, if you’re feeling visual here it is on a map:
|Country||# of politicians||# of websites||% of politicians with websites||No. of politicians’ websites without HTTPS||% of politicians’ websites without HTTPS|
It goes without saying that every website needs to be using HTTPS in 2019. Especially if you’re running a political campaign. Even if you’re not collecting any data and your campaign is just hosting a brochure site – you still need an SSL/TLS certificate. If just for the threat of third-party content injection.
We, as an industry, do a very poor job of discussing content injection, but in this context it’s exceedingly dangerous.
More to the point, if there’s a politician representing you and they don’t have an SSL/TLS certificate on their site – or it’s not configured properly, as is the case with Argentina’s Legislative Directory website, which doesn’t force HTTPS – you need to contact them about it. There’s no excuse for not securing your website.
Especially if you’re asking other people to entrust you to represent them on life-or-death issues.
“How can expect you to secure our borders when you can’t even secure your own website?”
That’s not a question any politician wants asked.
As always, leave any comments or questions below…