The latest version of the Chrome browser warns users that several Australian government websites are insecure, but the federal cyber security agency is telling citizens to ignore the warnings.
A new list of the world’s most popular but insecure websites, called WhyNoHTTPS, has included several managed by Australian government entities, including the Bureau of Meteorology, Australian Bureau of Statistics, the National Library of Australia, the Department of Foreign Affairs and Trade, and the NSW Education Standards Authority.
Controversially, it has also named the Department of Home Affairs as insecure after tests showed it was vulnerable to cyber attack by more skilled cyber infiltrators in rare circumstances.
Update #1: A spokesperson for the Department of Home Affairs says its own tests confirm its secure redirection is working as intended.
The list was published to coincide with a new release of the Chrome browser this week that more clearly warns users if the site is transmitting unencrypted traffic that potentially could be altered by a third party without the user being aware.
On secure sites, served over HTTPS — like this one — Chrome will mark the address bar with a secured green lock; on insecure sites Chrome will alert the user with an exclamation mark and the words ‘Not secure’ on the address bar. Google announced the visual change on its security blog in February this year, and released the new version to users yesterday.
A large number of sites recognise that most people aren’t going to type in “https://www.” into their browser when they visit a site, and instead just type in the domain like “afp.gov.au” for example, which is picked up by the browser as “http://afp.gov.au”. These sites will redirect these HTTP requests to the HTTPS version, “https://www.afp.gov.au”, automatically and the user quickly finds themselves with a nice green “Secure” in their address bar. That’s the way it’s supposed to work.
However, this list has highlighted that at least five government entities (and probably a lot more) aren’t doing that automatic redirect, or don’t serve a HTTPS site at all.
The ABS uses HTTPS “where it requires customers to include personal or identifiable information” and is moving to upgrade the rest in coming months:
“As part of its transformation program, the ABS is currently moving the remainder of its website from HTTP to encrypted HTTPS website connections. This will provide our customers with a more secure experience. The current time frame for the website migration to be completed is October 2018.”
Malicious actors could create their own ‘official’ government communication
Except for Home Affairs, the five government websites mentioned above make no pretence of being secure — they serve via the traditional HTTP protocol, visible and alterable by third parties on the internet, instead of the encrypted HTTPS protocol.
These government entities, many of which don’t seek their website visitors’ personal details or offer a personalised user experiences, might well ask why this matters to them. Even if they’re just presenting static information and seeking nothing from the user in return, they risk allowing a so-called man-in-the-middle attack, in which a malicious actor could intercept the data transmitted by the website and insert their own code, allowing false messages to override what the website had intended for the user.
The risks should be obvious to anyone in government, especially those involved in IT or managing public communications channels:
- False extreme weather warnings from the trusted BOM, like an approaching bushfire or cyclone, could lead to public panic.
- An Australian on an adventure in another country could instead receive what appears to be an official SmartTraveller alert from DFAT telling them to immediately make their way to a particular embassy location — but is in fact something quite different.
- Activist hackers could insert anti-government messages on the site to embarrass a minister and draw media attention to their cause.
- A commercial spammer could simply redirect users from the government website to their own marketplace.
State actors, including law enforcement, have also been known to create their own ‘MitM’ attacks against their own citizens.
Some internet service providers, famously the US company Comcast, openly insert commercial messages into other websites — but cannot do so when their customers use secure HTTPS sites.
These issues are so well understood in the IT community, it seems unfathomable that anyone in government would explicitly advise citizens to ignore Chrome’s new warnings. Yet one surprising agency did.
ACSC relaxed about message tampering
The risk of official government message tampering posed by those insecure websites is not fresh news, except perhaps to the Australian government’s own Australian Cyber Security Centre.
So far the ACSC has not taken action against agencies that fail to secure their websites. Indeed, it seems pretty relaxed about the issue, telling the public in May this year:
“A website that uses HTTP instead of HTTPS isn’t necessarily insecure. However, if you are providing personal or financial information, you should always look for a HTTPS connection.
“Do not be alarmed if government or business websites are no longer marked as ‘secure’ when you are using Google Chrome. Check for ‘https’ at the start of website addresses to find out if the website is secured using HTTPS. Alternatively, you can use other web browsers (such as Microsoft Edge or Mozilla Firefox) to determine if the website is secure.”
Contrast ACSC’s blithe approach, even telling the public to use a different browser to mask the security warning, with the reaction from the Digital Transformation Agency, which recently lost its cyber operations to the ACSC in a machinery of government change.
The DTA jumped straight to recognising that government agencies might need help making the transition to the secure protocol:
“At the DTA we use a common platform — cloud.gov.au — to support over 150 applications being built, tested or run by government agencies. All of them support secure HTTPS connections and actively redirect HTTP requests to the secure equivalent.”
In the UK, the ACSC’s equivalent, the National Cyber Security Centre, says government websites should always be served over HTTPS:
“Even when all of the content is public, you still want to make sure it can’t be modified without your knowledge.”
Home Affairs and HTTPS
The odd one out of the WhyNotHTTPS list is Home Affairs. Its website, homeaffairs.gov.au, does direct users to the encrypted HTTPS version. So why did it make the list?
Tests run by the list’s creators, Troy Hunt (in Australia) and Scott Helme (in the UK), revealed not all users were served the website with the same level of protection.
What the researchers found that there were certain situations — such as from overseas locations and/or when site maintenance was being carried out — when the usually-automatic HTTPS redirection did not occur. Some users will be redirected to the secure version, while in the UK, Helme was served a version of the website that appeared to be a maintenance version and not redirected to the secure version.
The department could not replicate the problem raised by Hunt and Helme this morning. It responded to The Mandarin, saying its own tests did confirm the site was correctly redirecting to HTTPS, including from overseas locations.
“The main Home Affairs internet site is configured to redirect to HTTPS (a secure site). This is enforced via a policy that redirects all HTTP connection attempt requests to HTTPS.
“This has been verified from overseas locations including Atlanta, Singapore, and Frankfurt and there is consistent behaviour of redirecting HTTP to HTTPS.
“The Department is progressively working to ensure other sites within the Home Affairs domain have the same HTTPS only configuration and will include HSTS.
“The Department is aware of the enhanced risk of Man-in-the-middle attacks.”
Here’s how Hunt explained the inclusion when Helme got a different result from him:
“So clearly Scott just isn’t computering very well, right? But when I called him on it he presented the evidence that caused his crawler to identify the site as not redirecting to HTTPS:
“The title tag says it all – he got a maintenance page which didn’t redirect to a secure connection. Now keep in mind that we were both testing this at precisely the same time so what we’re seeing here is a vastly different experience depending where in the world you are.
“Now here’s the challenge – in a case like this, should Home Affairs be flagged as not secure and included on our website? It might redirect for me but if it doesn’t for some people in other parts of the world, has HTTPS been done ‘properly’? In the case of Home Affairs, they don’t have HSTS enabled either which means people could genuinely be MitM’d when going to the site in that situation.”
This article has been updated with the response from Home Affairs. The Mandarin also sought comment from the ACSC.