iTnews

The government websites that still aren't 'secure'

By Justin Hendry on Sep 24, 2019 6:55AM
The government websites that still aren't 'secure'

HTTP connections still in use.

A handful of federal government websites, including one of its most frequented, are still using unencrypted web connections more than a year after Google began labelling them insecure.

In July 2018, a Google Chrome update saw all HTTP sites marked as “not secure” in the address bar in a bid to stamp out the prevalence of unencrypted pages.

The explicit warning followed months of warnings from Google and others for website owners to serve traffic over the more secure HTTPS protocol.

Unlike HTTPS, HTTP does not encrypt data that travels between a user’s computer and a website and, therefore, does not “protect the integrity and confidentiality of data”, according to the web giant.

While HTTPS is mainly necessary for login pages, payment gateways and credit card forms used by consumers to enter personal details, Google recommends HTTPS connections “regardless of the content on the site”.

Just after the changes, security researchers Troy Hunt and Scott Helme published a list of Australia’s largest websites that were not redirecting HTTP requests to a more secure HTTPS connection.

The list named the Bureau of Meteorology, AFL, and Department of Home Affairs and Immigration among the top local sites that load “over an insecure connection without redirecting to a secure, encrypted connection”.

Since then, the vast majority of 50 corporates and government agencies previously named and shamed have adopted HTTPS which depending, on the size of the migration, is not necessarily an easy feat.

This includes the Australian Bureau of Statistics, the Department of Home Affairs, and the Department of Health.

But an investigation by iTnews has revealed that a number of federal government websites are still yet to bed down HTTPS.

This includes the Bureau of Meteorology website, which as one of Australia’s most visited government websites receives approximately 3.5 billion page views each year.

A BoM spokesperson said the bureau was aware of the matter and is currently working to upgrade its cyber security posture through the “significant” IT refresh project known as the ‘robust’ program.

The program is aimed at hardening BoM’s operating environment in the wake of the 2015 hack by suspected foreign adversaries with an undisclosed amount of funding in the 2017 and 2018 budgets.

As part of this, BoM is planning to upgrade its web presence over the next two years as part of a $31 million digital channels platform deal with Accenture.

Despite ongoing work to address the issue, however, the agency said that the “website continues to be a safe and secure digital destination for weather, climate, water and ocean information”.

Coincidently, on Friday the bureau gave a first look at its new HTTPS weather webpage, which is still in development.

The Department of Defence’s website, which although not nearly as frequented, is another such website found still to be using HTTP.

A Defence spokesperson told iTnews the department was “undertaking a planned program to transition the Defence website to HTTPS ... by December 2019”.

Other corporates named in the WhyNoHTTPS.com not yet to shift to HTTPS, include some Ticketek pages, AustLii and the Sydney Morning Herald’s travel section, Traveller.

Other government website not named in the original list, but identified without HTTPS in part or full are:

  • Airservices
  • Department of Environment and Energy
  • Department of Agriculture
  • Geoscience Australia
  • Clean Energy Regulator
  • National Archives of Australia
  • Australian Institute of Criminology
  • Inspector-General of Taxation and Taxation Ombudsman
  • Commonwealth Ombudsman
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bom bureau of meterology defence governmentit http https security strategy website

Partner Content

Improving returns from SD-WAN spending
Partner Content Improving returns from SD-WAN spending
Beat the DDoS blackmails in 2021
Promoted Content Beat the DDoS blackmails in 2021
Tackling cybersecurity in 2021
Partner Content Tackling cybersecurity in 2021
Why companies fail at picking cloud modernisation partners
Promoted Content Why companies fail at picking cloud modernisation partners

Sponsored Whitepapers

The top 5 tech trends to deliver business outcomes
The top 5 tech trends to deliver business outcomes
10 reasons why businesses need to invest in cloud security training
10 reasons why businesses need to invest in cloud security training
Your guide to application security solutions
Your guide to application security solutions
State of Software Security: Open Source Edition
State of Software Security: Open Source Edition
Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • [iTnews and Micro Focus] Navigating the cloud modernisation minefield
By Justin Hendry
Sep 24 2019
6:55AM
0 Comments

Related Articles

  • Defence explores blockchain to reduce IT supply chain risks
  • Citrix bug forced Defence to pull recruitment database offline
  • Accenture lands $114m Defence vetting system overhaul deal
  • DTA cops pushback over proposed digital ID charge model
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

TPG Telecom to start enticing NBN customers to move

TPG Telecom to start enticing NBN customers to move

Infosys scores another $40m for Centrelink payments engine build

Infosys scores another $40m for Centrelink payments engine build

Telstra InfraCo opens up telco's own fibre network

Telstra InfraCo opens up telco's own fibre network

Transport for NSW data stolen in Accellion breach

Transport for NSW data stolen in Accellion breach

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.