The Australian Bureau of Statistics has been forced to answer questions about the security of its online Census website after it was revealed to be using an insecure and deprecated form of encryption to protect the sensitive personal details of the nation’s citizens.
Tests of the strength of encryption used on the main Census website, first highlighted by security consultant and software engineer Ben Dechrai, reveal the website supports the SHA-1 hashing algorithm long considered to be insecure.
SHA is a component of a Secure Sockets Layer (SSL) certificate that is used to prevent the modification of data.
All major web browser operators have said they will stop accepting SHA-1-based signatures by next January. Internet Explorer owner Microsoft recently said it would bring that date forward to September 2016 after research showed real-world ‘collision attacks’ could open the door to digital signature forgeries even before 2017.
The Australian Signals Directorate deprecated SHA-1 from its list of approved cryptographic algorithms in December 2011 after finding the risk of a successful attack on the platform was “higher than acceptable”. The US National Institute of Standards and Technology (NIST) has said SHA-1 should “not be trusted” past January 2014.
Despite this, the ABS is still supporting SHA-1 to ensure those using older versions of web browsers are able to fill out the online form on Census night.
“As the overwhelming majority of browsers and operating systems are SHA-2 compliant, most people completing the Census will be secured using SHA-2,” a spokesperson said.
“However there are some older browsers and operating systems that only support SHA-1. To enable users with these older systems to complete their Census online, the online Census also supports older SHA-1.”
But users will still face the risk of a man-in-the-middle downgrade attack, which uses available backwards compatibility to force a computer to a lower and more vulnerable version of encryption, Dechrai said.
"[It] increases the likelihood of a user's data being intercepted," he said.
The security expert suggested a better approach was either to stick with the current paper forms or introduce a tiered model of online security.
“[They should make] the page where people click to start the Census less secure, so it works on older browsers, [then] do browser detection, and if the browser is too old, prompt them to upgrade, or order the paper form,” he said.
“Only supported browsers show the "Start" button [which loads the submission form from a properly secured server].”
The ABS was also criticised for choosing not to implement perfect forward secrecy, which would protect past communications and sessions from compromise should attackers be able to access long-term secret keys.
The agency argued that perfect forward secrecy would disrupt its other security protections.
“As part of our total platform security for the online Census, we need to be able to detect and respond to any malicious traffic,” the spokesperson said.
“Implementing perfect forward secrecy would reduce the effectiveness of other security layers, and as such may compromise overall security.”
However, Dechrai said that while perfect forward secrecy could disrupt web application firewalls and intrusion detection systems, it was a “solvable problem”.
“Better architecture is a bit more complex, but doable,” he said.
“Given the sensitivity, I would hope the [government] would spend on security and scalability, not scrimp on security and avoid scalability.”
The security issues carry even greater weight this year give it's the first time the ABS will keep and use all names and addresses collected under the Census for data linkage purposes.
Public concerns have been growing in the lead up to the August 9 national survey over the potential risks to individual privacy generated by the policy change.
Former ABS chief statistician Bill McLennan called it the “most significant invasion of privacy” ever perpetrated by the ABS. Privacy lobby group Electronic Frontiers Australia labelled it a “serious breach of trust”, and NSW Privacy Commissioner Elizabeth Coombs this week said she was “concerned” about the risks.
Concerned citizens have taken to Twitter in increasing numbers under the #censusfail hashtag to rail against the changes to Census data collection and implore the ABS to reverse its decision, with many promising to boycott this year’s survey.
“Several experts with great knowledge on this topic have expressed concerns. Why won't the ABS listen?,” Queensland University of Technology criminologist Dr Cassandra Cross said.
“I want to emphasise how saddened I am, as a researcher and someone concerned about the public good, to feel compelled to protest census,” philosopher and author Dr Leslie Cannold said.
The ABS has said it is not concerned about a civil disobedience campaign and is persevering with its change in policy.
IBRS security advisor James Turner said he was "horrified" by the "naivety" of the ABS' response to public concerns.
"ABS executives had to know that privacy would be a huge issue raised around this change of protocol," Turner said.
"I think most people are looking at the ABS responses as "we think this is cool, so we're doing it and we don't care about your privacy".
"[It] doesn't seem to understand that it gets one shot at this. If there is a breach, then the horse has well and truly bolted. It won't even matter if they promise not to do it again, because the data has already gone."