ITPIN: Government of Canada mandates HTTPS, HSTS
Effective June 27, 2018, all Canadian government websites should implement HTTPS for web connections
The government of Canada has issued an Information Technology Policy Implementation Notice (ITPIN) directing all “departments” to implement Transport Layer Security and migrate to HTTPS. The Notice is effective as of June 27th. All departments, agencies and organizations that in Canadian government that are not subject to the Policy on Management of Information Technology are advised to abide the ITPIN.
Canadian departments are to implement safeguards that ensure their services are only offered via a secure connection. Specifically that means that all connections must:
- Be configured for HTTPS
- Have HSTS enabled
- Support at least TLS 1.2 or higher
- Not support SSL 2.0, SSL 3.0, TLS 1.0 or TLS 1.1
- Have weak ciphers such as RC4 and 3DES disabled
If a department’s website involves the exchange of personal data then it should migrate as soon as possible. All other departments have until September 30, 2019.
Canadians must be confident that they are accessing a legitimate service and that their connections remain private and free from interference. By applying specific security standards that have been widely adopted in industry, departments can ensure the integrity and confidentiality of their communications with Canadians. This includes implementing the HTTPS protocol which provides a layer of protection by encrypting connections using Transport Layer Security (TLS). HTTPS, along with approved encryption algorithms, offers a level of security and privacy that users expect from Government of Canada web services. In addition, whilst using modern web browsers, a secure connection will always be initiated when HTTP Strict Transport Security (HSTS) is configured.
The ITPIN goes on to say that implementing HTTPS is only one aspect of securing a digital service, before offering additional security considerations:
- Deploy modern operating systems (OS) and applications that are maintained with supported, up-to-date, and tested versions of software.
- Actively manage software vulnerabilities, including fixing known vulnerabilities quickly following a timely patch maintenance policy for OS and applications, and taking other mitigating steps, where patches can’t be applied.
- Implement appropriate host-based protections to protect systems against both known and unknown malicious activity.
- Minimize available services and control connectivity by removing or disabling all non-essential ports and services as well as removing unnecessary accounts from systems.
- Enable system logging to improve the ability to detect and identify anomalous behaviours, perform system monitoring, and to assist with incident response and forensic analysis of compromised systems.
- Carefully control and manage privileges assigned to users and administrators. Provide a reasonable (but minimal) level of system privileges and rights needed for their role.
- Use strong authentication mechanisms (for example, multi-factor authentication) where possible to protect from unauthorized access.
- Design web services so that they are protected from common security vulnerabilities such as SQL injection and others described in widely-used publications such as the Open Web Application Security Project (OWASP) Top 10.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown