A handful of federal government websites, including one of its most frequented, are still using unencrypted web connections more than a year after Google began labelling them insecure.
In July 2018, a Google Chrome update saw all HTTP sites marked as “not secure” in the address bar in a bid to stamp out the prevalence of unencrypted pages.
The explicit warning followed months of warnings from Google and others for website owners to serve traffic over the more secure HTTPS protocol.
Unlike HTTPS, HTTP does not encrypt data that travels between a user’s computer and a website and, therefore, does not “protect the integrity and confidentiality of data”, according to the web giant.
While HTTPS is mainly necessary for login pages, payment gateways and credit card forms used by consumers to enter personal details, Google recommends HTTPS connections “regardless of the content on the site”.
Just after the changes, security researchers Troy Hunt and Scott Helme published a list of Australia’s largest websites that were not redirecting HTTP requests to a more secure HTTPS connection.
The list named the Bureau of Meteorology, AFL, and Department of Home Affairs and Immigration among the top local sites that load “over an insecure connection without redirecting to a secure, encrypted connection”.
Since then, the vast majority of 50 corporates and government agencies previously named and shamed have adopted HTTPS which depending, on the size of the migration, is not necessarily an easy feat.
This includes the Australian Bureau of Statistics, the Department of Home Affairs, and the Department of Health.
But an investigation by iTnews has revealed that a number of federal government websites are still yet to bed down HTTPS.
This includes the Bureau of Meteorology website, which as one of Australia’s most visited government websites receives approximately 3.5 billion page views each year.
A BoM spokesperson said the bureau was aware of the matter and is currently working to upgrade its cyber security posture through the “significant” IT refresh project known as the ‘robust’ program.
The program is aimed at hardening BoM’s operating environment in the wake of the 2015 hack by suspected foreign adversaries with an undisclosed amount of funding in the 2017 and 2018 budgets.
As part of this, BoM is planning to upgrade its web presence over the next two years as part of a $31 million digital channels platform deal with Accenture.
Despite ongoing work to address the issue, however, the agency said that the “website continues to be a safe and secure digital destination for weather, climate, water and ocean information”.
Coincidently, on Friday the bureau gave a first look at its new HTTPS weather webpage, which is still in development.
The Department of Defence’s website, which although not nearly as frequented, is another such website found still to be using HTTP.
A Defence spokesperson told iTnews the department was “undertaking a planned program to transition the Defence website to HTTPS ... by December 2019”.
Other corporates named in the WhyNoHTTPS.com not yet to shift to HTTPS, include some Ticketek pages, AustLii and the Sydney Morning Herald’s travel section, Traveller.
Other government website not named in the original list, but identified without HTTPS in part or full are:
- Department of Environment and Energy
- Department of Agriculture
- Geoscience Australia
- Clean Energy Regulator
- National Archives of Australia
- Australian Institute of Criminology
- Inspector-General of Taxation and Taxation Ombudsman
- Commonwealth Ombudsman