Australian gov agencies largely kick HTTP connections

Almost all remaining unencrypted web connections across the federal government have now been eradicated, with most agencies still using HTTP expected to shift before the end of the financial year.

It comes more than three-and-a-half years after Google Chrome began labelling HTTP sites “not secure” in the address bar in an effort to prompt owners to switch to the more secure HTTPS protocol.

HTTPS, unlike HTTP, encrypts data in transit to prevent access by attackers, protecting the integrity and confidentiality of data between a user’s computer and the site, according to Google.

The web giant recommends HTTPS connections “regardless of the content on the site”, particularly for login pages, payment gateways and credit card forms that involve entering personal details.

In July 2018, just after the security changes were implemented, Australia’s largest website owners without HTTPS were publically outed, including a number of federal government agencies.

A year later, most of the agencies on the list had adopted encrypted connections, including the Australian Bureau of Statistics, Department of Home Affairs and the Department of Health.

It left only a handful of agencies without HTTPS, namely the departments of Defence and Agriculture, Bureau of Meteorology, Airservices Australia, the Clean Energy Regulator and Geoscience Australia.

But iTnews can reveal that the majority of those remaining agencies have now made the jump to encrypyted connections, with the three agencies still in the process of upgrading their websites.

This is the case for the Bureau of Meteorology, which is currently “developing an updated version of its website to ensure it continues to meet the needs of the Australian community”.

The website is one of the federal government’s most popular, receiving more than 3.4 million page views in 2021, up from 2.5 million in 2017.

“The BoM is committed to improving the security and resilience of its ICT systems, observation network and business processes,” a spokesperson told iTnews.

Accenture has been working to build a new all-in-one digital channels platform, including a new web presence for the primary website, since August 2019.

The work forms part of a wider program to harden the bureau’s operating environment in the wake of the 2015 hack by suspected “foreign adversaries”.

The spokesperson did not provide a timeline for when the BoM website would transition to HTTPS.

The corporate website for the Clean Energy Regulator also continues to use HTTP, though the agency is reaching the end of a program to transition websites and online business systems to HTTPS.

A spokesperson said all transactional and client-facing business systems had already been updated to use HTTPS, with the corporate website expected to follow “before the end of the financial year”.

“The CER has been progressively modernising its websites and online systems to ensure that all systems use encrypted communications, HTTPS,” the spokesperson said.

“The corporate website was prioritised as a low risk to client or CER data and was scheduled for update towards the end of our program.

“[It] provides static information and it is isolated from transactional systems and data.”

Geoscience Australia, which also has an unencrypted corporate website, told iTnews the vast majority of its websites have had HTTPS connections since 2002.

The agency said that only one legacy web application was yet to transition, but that this work was underway.

“At this time, we are progressing with remediating legacy web applications, with only a single application remaining – the Geochron Delivery application,” a spokesperson said.

“This work is currently underway and is anticipated to be completed by the end of this quarter.

“Once remediation is complete, we will be able to force secure connections for the whole Geoscience Australia website.”