46% federal websites still not compliant with Homeland Security Department’s Directive
The latest report by Pulse, a project of the General Service administration, shows that only 54% of federal websites have been able to meet the deadline to enhance website security.
In October 2017, the Department of Homeland Security (DHS) issued an operational directive for government agencies to make security improvements to their sites. The primary requirement of this directive was to migrate their sites from insecure HTTP to encrypted HTTPS within three months by installing SSL/TLS certificates. Unfortunately, almost 30% of the agencies failed to do so in time.
A similar directive was issued in the Obama era as well. During the Obama administration, the agencies were given the deadline of January 2017. Around 70 percent of the sites met this deadline. However, the subjected agencies differ for both these directives. Therefore, it’d be unfair to compare them.
Now you might be wondering why there’s so much fuss about this HTTPS thing. Well, whether you think it’s a “fuss” or not, it’s totally justified.
It’s no secret that HTTPS is the spinal cord of web security. It’s the protocol that facilitates securely encrypted connections between a website and a web browser—so that no malicious 3rd-party can come in between and steal or tamper with the data. That’s called a Man-in-the-Middle attack and 30% of government websites are susceptible.
Still think it’s a “fuss?” I didn’t think so.
Another key requirement that DHS insists upon is the usage of HSTS (HTTP Strict Transport Security). Fundamentally speaking, HSTS forces web browsers to only make connections via secure HTTPS, which protects against downgrade attacks. Here too, government websites fall well short of expectations. Almost 40% of the government’s domains haven’t implemented HSTS yet. As a result, some of these websites might still be in danger, even if they have installed an SSL certificate and migrated to HTTPS.
The Silver Lining
I won’t (and can’t) blame you if you’re feeling pessimistic after reading these numbers. However, as they say, ‘every cloud has a silver lining.’ In this span of three months, the number of HTTPS-enabled websites has almost doubled. It’s fair to say that this is a solid improvement. And with Google planning to deprecate HTTP starting in March, the rate of adoption should continue to grow.
What we Hashed Out
- 46% of federal websites are still not compliant with Homeland Security Department’s Directive
- 30% of federal websites are unencrypted (non-HTTPS)
- Out of all the sites that are encrypted, around 17% still incorporate insecure protocols that are deprecated
- 40% of the sites haven’t implemented HSTS