61% of the world’s politicians have unsecured websites
1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...

61% of the world’s politicians have unsecured websites

A new Comparitech study finds a staggering number of politicians still use HTTP

At this point, in 2019, there’s really no reason not to be using encryption on your website. HTTPS is practically mandatory, with most major browsers actively marking HTTP websites as “Not Secure.”

Apparently that hasn’t really moved the needle in the political sector as many had hoped. A new Comparitech study took a look at websites for politicians around the world and found that 60.75%, or a little more than three in every five, are not securing their connections.

So, let’s dive into the study a little bit and talk about why this is a problem.

Let’s hash it out.

Why HTTPS is important

61% of the world’s politicians have unsecured websites

If you read Hashed Out regularly, you can probably skip this section. But for the sake of being comprehensive, I’m going to cover this anyway.

The internet has more or less been built on the hypertext transfer protocol (HTTP) for the last twenty years. When HTTP was first conceived of, the fact that data was exchanged in plaintext really wasn’t an issue. The internet was much different then. People weren’t transacting on it, commercial activity was banned. It was primarily a network for government entities and academia to share information.

Obviously, the internet looks much different today. Not only has it become a hub for business of all kinds, the world has become more technically sophisticated. Whereas, in the early days of the internet, people that knew their way around a network were few and far between. And generally perceived of as nerds. Today, any kid with a free afternoon and YouTube can learn how to start hacking.

Those two things, the commercial growth of the internet and growing threats to network safety, made HTTP and the plaintext it transmits a vulnerability. It’s actually fairly easy to hack an unsecured device (honestly, have you ever changed the password on your router?) and eavesdrop on other people’s connections.

If that connection is made with HTTP, all of that data being exchanged is easily readable. Obviously, that wasn’t going to work so a solution was conceived of, using public key cryptography, the SSL/TLS protocols were created to facilitate a secure version of HTTP, called HTTPS. When a website is being served via HTTPS, it encrypts the data before transmitting it. This makes eavesdropping on the connection pointless as the only party that can read it is the one at the other end of the connection.

Originally, the conventional wisdom was that only parties transacting in sensitive data needed to use HTTPS. So, if you were running a blog or a brochure site it wasn’t necessarily a priority. That all changed in 2017 when Google and the other browser vendors pushed a joint initiative to mandate HTTPS across the entire web. By last Summer, that mandate had come into full effect and browsers began actively penalizing HTTP websites.

HTTPS is especially important in Politics

Keep in mind, just because a website uses HTTPS doesn’t necessarily mean it’s completely secure. There are plenty of other things you still have to worry about from a security standpoint. However, if a website DOESN’T use HTTPS it’s definitely unsecure.

And that’s the problem with politicians that serve their websites via HTTP. At best, for a politician to have an unsecured website is a bad look. At worst it’s downright negligent. If there’s any sector that should be securing communication, it’s government, of which politicians are a big part.

And with the concerted efforts by some countries to interfere in Western elections. One of the less advertised benefits of SSL/TLS and HTTPS connections is that they prevent third-party content injection. When an attacker is able to inject content they can make a website look or feel completely different from what’s intended. It wouldn’t be outside the realm of possibility for an attacker to inject offensive material or to misrepresent a candidate’s position, which hurts that candidate and affects the outcome of elections.

Something similar happened recently to the mayor of Tampa, who was hacked and and impersonated by an attacker that threatened Tampa International Airport among other high-profile targets. It happened just weeks before the Mayoral election. It caused major issues.

Granted, that was Twitter. But having content injected into a politician’s website could still create a very similar effect.

Now that we’ve got that covered, let’s look at the study.

More than a quarter of US politicians have unsecured websites

Before we get into the figures, let’s talk about methodology for a moment. For starters, this looks at national politicians. This doesn’t get down into state officials or local officials, which would likely skew the numbers even further towards HTTP. The US has 541 politicians just in its congress. Someone is going to correct me and say that it’s only 535 – that’s wrong. There are 535 VOTING members and six non-voting representatives. Anyway, my point is that getting into the various state legislatures and looking at local officials would’ve been a bit of a slog so this study only looks at politicians serving at a national level.

With that said, it’s not a good sign that a quarter of the individuals that are charged with US cybersecurity couldn’t even be bothered to secure their websites.

61% of the world’s politicians have unsecured websites

As you can see, neither of the major parties in the US has an edge in terms of securing their connections. The Independents are batting a thousand, but there are three of them total so that’s negligible.

61% of the world’s politicians have unsecured websites

Granted, these are mostly campaign websites, the US government provides websites for official business and those are secure. As they should be. In the past we’ve even advocated for adding the .gov to the HSTS list at the TLD level like Google did with .app and a few others. Still, this is not a good look. Here’s a list of US politicians rocking unsecured websites:

Politician Party
Senator Lamar Alexander Republican
Senator John Boozman Republican
Senator Catherine Cortez Masto Democrat
Senator Mike Crapo Republican
Senator Michael B. Enzi Republican
Senator Margaret Wood Hassan Democrat
Senator John Kennedy Republican
Senator James Lankford Republican
Senator Mitch McConnell Republican
Senator Pat Roberts Republican
Senator Richard C. Shelby Republican
Senator John Thune Republican
Senator Thom Tillis Republican
Senator Mark R. Warner Democrat
Senator Roger F. Wicker Republican
Mike Rogers Republican
Robert Aderholt Republican
Mo Brooks Republican
Terri A. Sewell Democrat
Don Young Republican
Amata Radewagen Republican
Tom O’Halleran Democrat
Raul Grijalva Democrat
Paul A. Gosar Republican
Debbie Lesko Republican
Greg Stanton Democrat
Doug LaMalfa Republican
Jared Huffman Democrat
Tom McClintock Republican
Doris O. Matsui Democrat
Mark DeSaulnier Democrat
Jackie Speier Democrat
Jim Costa Democrat
Anna G. Eshoo Democrat
Katie Hill Democrat
Judy Chu Democrat
Brad Sherman Democrat
Grace Napolitano Democrat
Ted Lieu Democrat
Lucille Roybal-Allard Democrat
Nanette Barragán Democrat
J. Luis Correa Democrat
Susan Davis Democrat
Ken Buck Republican
John B. Larson Democrat
Joe Courtney Democrat
Rosa L. DeLauro Democrat
John Rutherford Republican
Stephanie Murphy Democrat
Bill Posey Republican
Val Demings Democrat
Gus M. Bilirakis Republican
Ross Spano Republican
Francis Rooney Republican
Alcee L. Hastings Democrat
Ted Deutch Democrat
Frederica Wilson Democrat
Donna Shalala Democrat
Buddy Carter Republican
Austin Scott Republican
Jody Hice Republican
Barry Loudermilk Republican
David Scott Democrat
Mike Simpson Republican
Daniel Lipinski Democrat
Jesus Chuy Garcia Democrat
Jan Schakowsky Democrat
Bradley Schneider Democrat
Mike Bost Republican
Cheri Bustos Democrat
James Baird Republican
André Carson Democrat
Trey Hollingsworth Republican
Roger Marshall Republican
James Comer Republican
Thomas Massie Republican
Garret Graves Republican
Katherine Clark Democrat
Stephen F. Lynch Democrat
William Keating Democrat
Debbie Dingell Democrat
Brenda Lawrence Democrat
Collin C. Peterson Democrat
Trent Kelly Republican
Bennie G. Thompson Democrat
Jr. William “Lacy” Clay Democrat
Blaine Luetkemeyer Republican
Emanuel Cleaver Democrat
Sam Graves Republican
Adrian Smith Republican
Ann Kuster Democrat
Chris Smith Republican
Josh Gottheimer Democrat
Ben R. Lujan Democrat
Thomas Suozzi Democrat
Gregory W. Meeks Democrat
Hakeem Jeffries Democrat
Sean Patrick Maloney Democrat
G.K. Butterfield Democrat
Walter B. Jones Republican
Mark Walker Republican
Alma Adams Democrat
Brad Wenstrup Republican
Jim Jordan Republican
Bill Johnson Republican
Bob Gibbs Republican
Michael Turner Republican
Marcia L. Fudge Democrat
Frank Lucas Republican
Tom Cole Republican
Earl Blumenauer Democrat
Kurt Schrader Democrat
Glenn W. Thompson Republican
Tom Marino Republican
Lloyd Smucker Republican
Matt Cartwright Democrat
Jeff Duncan Republican
Tom Rice Republican
Phil Roe Republican
Steve Cohen Democrat
Lance Gooden Republican
Kevin Brady Republican
Kay Granger Republican
Vicente Gonzalez Democrat
Sheila Lee Jackson Democrat
Jodey Arrington Republican
Joaquin Castro Democrat
Kenny Marchant Republican
Sylvia Garcia Democrat
Filemon Vela Democrat
Brian Babin Republican
Chris Stewart Republican
Robert C. Scott Democrat
Denver Riggleman Republican
Don Beyer Democrat
Jennifer Wexton Democrat
Cathy McMorris Rodgers Republican
Derek Kilmer Democrat
Adam Smith Democrat
Ron Kind Democrat
Sean P. Duffy Republican
Mike Gallagher Republican
Jerry Brown Democrat
David Ige Democrat
Eric Holcomb Republican
John Bel Edwards Democrat
Paul LePage Republican
Mary Fallin Republican
Gary Herbert Republican
Michelle Lujan Grisham Democrat
Ricardo Rosselló Democrat
Robin Kelly Democrat

I was tempted to provide the links but our SEO threatened to push me off the roof so if you want to see for yourself you’re going to have to resort to Google.

RELATED: 25% of US government websites still aren’t using HTTPS

What’s going on in Canada?!

Did we forget to tell Canada about SSL? A little more than 86% of Canadian politicians have unsecure websites. That’s fourth worst in the entire study. Not something our neighbors to the North are going to be proud of. This is the digital equivalent of the urban myth that Canadians don’t lock their doors.

Of the 320 websites surveyed, a whopping 276 were unsecured, with the most secure party being the conservatives, who still have more than two out of three sites using HTTP.

61% of the world’s politicians have unsecured websites

This is made more alarming by the fact that Canada is holding an election in October of this year, so these campaign sites are likely seeing an uptick in traffic that isn’t connecting securely. Not good.

RELATED: ITPIN mandates HTTPS, HSTS for all Canadian government sites

Et tu, South Korea?

By and far South Korea, has the most unsecured websites. 92% of all its politicians’ sites are using unsecure HTTP. While its number of politicians that even have websites is substantially smaller than some of the other countries that were surveyed, South Korea finds itself in a very unique situation:

The Korean War never ended. It’s been going on for 69 years, since 1950. There was an armistice that halted most of the hostilities, but the war never ended and South Korea’s neighbor to the North has a fairly sophisticated cyber warfare apparatus that is known to be quite active. Given the nature of the relationship, it’s safe to say that a good portion of North Korea’s cyber campaigns are conducted against South Korea and its western allies – whom the DPRK view as adversaries.

That would seem to make it even more of a priority to secure everything – every website, every server. Because the DPRK is actively probing. Apparently, that’s not a priority though.

61% of the world’s politicians have unsecured websites

There’s also a substantial number of South Korean politicians with no website at all. Kind of surprising in 2019, though that is one approach to security. Just stay off the internet.

Indian Politicians overwhelmingly don’t have websites

Another one of the interesting takeaways from this study is the staggering number of Indian politicians that don’t have any website at all. Of the 887 Indian politicians surveyed, 670 had no website at all. And the politicians that do have websites, aren’t securing them with SSL/TLS certificates.

Just 16.13% of Indian politicians that have a website are serving it via HTTPS. Nearly 84% are not.

A quick glance at the rest of the world

Let’s finish up by looking at the rest of the world, starting with the world’s most secure politicians followed by the world’s least secure. And remember, as we said, just because a site is using HTTPS doesn’t necessarily mean it’s safe. There are other attack vectors. But not using SSL/TLS and HTTPS at this point in 2019 is inexcusable.

Here’s the top 5 countries in terms of secured politicians’ websites.

Country Percentage of Unsecured Sites
United States 26.22%
United Kingdom 30.65%
Germany 31.92%
Australia 37.44%
Denmark 41.30%

That’s about what you would expect. The US, UK and Australia are all part of the Five Eyes intelligence sharing service and have made substantial investments into securing their digital infrastructures. Obviously, politicians’ websites aren’t necessarily under that umbrella, but you would think politicians’ familiarity with those issues in their own country would help facilitate better security with their campaigns.

But then, Canada, which is also a Five Eyes member, kind of pokes a hole in that theory, with more than four out of every five of their politicians’ websites left unsecured.

Country Percentage of Unsecured Sites
South Korea 92.31%
Poland 91.16%
Hungary 90.91%
Canada 86.25%
Malta 86.21%

Finally, here’s a breakdown of the countries surveyed, there’s a table below or, if you’re feeling visual here it is on a map:

61% of the world’s politicians have unsecured websites
Country # of politicians # of websites % of politicians with websites No. of politicians’ websites without HTTPS % of politicians’ websites without HTTPS
Argentina 330 114 35 83 72.81%
Australia 227 211 93 79 37.44%
Austria 286 105 37 62 59.05%
Belgium 200 150 75 85 56.67%
Brazil 608 316 52 237 75.00%
Canada 329 320 97 276 86.25%
Colombia 294 99 34 76 76.77%
Czech Republic 288 157 55 123 78.34%
Denmark 191 92 48 38 41.30%
Estonia 117 31 26 19 61.29%
Finland 201 189 94 133 70.37%
France 927 578 62 268 46.37%
Germany 696 639 92 204 31.92%
Greece 348 158 45 112 70.89%
Hungary 209 99 47 90 90.91%
India 887 217 24 182 83.87%
Indonesia 766 149 19 105 70.47%
Ireland 193 94 49 69 73.40%
Italy 363 313 86 233 74.44%
Japan 839 824 98 597 72.45%
Lithuania 154 38 25 32 84.21%
Luxembourg 78 20 26 14 70.00%
Malaysia 341 85 25 59 69.41%
Malta 79 29 37 25 86.21%
Netherlands 236 40 17 19 47.50%
Nigeria 490 69 14 49 71.01%
Peru 149 34 23 26 76.47%
Philippines 334 44 13 30 68.18%
Poland 619 441 71 402 91.16%
Romania 489 91 19 63 69.23%
Slovakia 164 36 22 27 75.00%
South Korea 316 104 33 96 92.31%
Spain 195 138 71 90 65.22%
Sweden 378 111 29 51 45.95%
Turkey 379 251 66 210 83.67%
UK 656 620 95 190 30.65%
US 595 573 96 150 26.22%
Total 13951 7579 54.33% 4604 60.75%

It goes without saying that every website needs to be using HTTPS in 2019. Especially if you’re running a political campaign. Even if you’re not collecting any data and your campaign is just hosting a brochure site – you still need an SSL/TLS certificate. If just for the threat of third-party content injection.

We, as an industry, do a very poor job of discussing content injection, but in this context it’s exceedingly dangerous.

More to the point, if there’s a politician representing you and they don’t have an SSL/TLS certificate on their site – or it’s not configured properly, as is the case with Argentina’s Legislative Directory website, which doesn’t force HTTPSyou need to contact them about it. There’s no excuse for not securing your website.

Especially if you’re asking other people to entrust you to represent them on life-or-death issues.

“How can expect you to secure our borders when you can’t even secure your own website?”

That’s not a question any politician wants asked.

As always, leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.
Be the first to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha *

Author

Patrick Nohe

Hashed Out's Editor-in-Chief started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. He also designs the visuals for Hashed Out and serves as the Content Manager for The SSL Store™.