Encryption Watch: Almost Half of US Federal Websites are Still Not Secure
46% federal websites still not compliant with Homeland Security Department’s Directive
The latest report by Pulse, a project of the General Service administration, shows that only 54% of federal websites have been able to meet the deadline to enhance website security.
In October 2017, the Department of Homeland Security (DHS) issued an operational directive for government agencies to make security improvements to their sites. The primary requirement of this directive was to migrate their sites from insecure HTTP to encrypted HTTPS within three months by installing SSL/TLS certificates. Unfortunately, almost 30% of the agencies failed to do so in time.
A similar directive was issued in the Obama era as well. During the Obama administration, the agencies were given the deadline of January 2017. Around 70 percent of the sites met this deadline. However, the subjected agencies differ for both these directives. Therefore, it’d be unfair to compare them.
Now you might be wondering why there’s so much fuss about this HTTPS thing. Well, whether you think it’s a “fuss” or not, it’s totally justified.
It’s no secret that HTTPS is the spinal cord of web security. It’s the protocol that facilitates securely encrypted connections between a website and a web browser—so that no malicious 3rd-party can come in between and steal or tamper with the data. That’s called a Man-in-the-Middle attack and 30% of government websites are susceptible.
Still think it’s a “fuss?” I didn’t think so.
Another key requirement that DHS insists upon is the usage of HSTS (HTTP Strict Transport Security). Fundamentally speaking, HSTS forces web browsers to only make connections via secure HTTPS, which protects against downgrade attacks. Here too, government websites fall well short of expectations. Almost 40% of the government’s domains haven’t implemented HSTS yet. As a result, some of these websites might still be in danger, even if they have installed an SSL certificate and migrated to HTTPS.
The Silver Lining
I won’t (and can’t) blame you if you’re feeling pessimistic after reading these numbers. However, as they say, ‘every cloud has a silver lining.’ In this span of three months, the number of HTTPS-enabled websites has almost doubled. It’s fair to say that this is a solid improvement. And with Google planning to deprecate HTTP starting in March, the rate of adoption should continue to grow.
What we Hashed Out
- 46% of federal websites are still not compliant with Homeland Security Department’s Directive
- 30% of federal websites are unencrypted (non-HTTPS)
- Out of all the sites that are encrypted, around 17% still incorporate insecure protocols that are deprecated
- 40% of the sites haven’t implemented HSTS
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown