Belgium recently faced terrorist attacks in Brussels; the Brussels bombings received international media coverage and greatly impacted our society. However, it is not only our physical security we should be worried about. Online security threats, from any source, can be just as harming or arguably even worse.
Exactly one year ago, the 11th of April 2015, I reviewed the websites of the Belgian administrations on their status on SSL security. Back then, various national news websites and newspapers picked up my article. This coverage triggered reactions from a number of managers active at these administrations and they promised to fix their insecure platforms. One year later, I want to know if things indeed have changed. Just for the completeness of this article, here are a number risks/issues that are a result of an insufficiently secure SSL/TLS connection:
- Citizens see in their browser the secure icon (
), a green bar or the address starts with https://, which indicates a secure connection. However, if the underlying security protocol is not secure and may be easily hacked, this is a false sense of security towards the government’s citizens. - Information that is transferred between a citizen and the government (e.g. passport ID, address, tax information) may be read by a hacker. This hacker can then sell or misuse this information in another way. The result of this may be identity theft or fraud.
- External threats should also be taken into consideration. Other governments or hacker groups may collect information on a bigger scale to do trend analysis or to manipulate the economic markets based on this information. It may seem unlikely, but with the Snowden revelations, this may be a feasible scenario after all.
), a green bar or the address starts with Methodology
To determine the strength of a website’s security certificate, I use the same methodology as I used in my report of April last year. I use the Qualys SSL Labs to test the server configuration of the server of the government’s websites. For sake of comparison, I use the same government websites so I can comprehensibly compare them.
Results
Here is an overview of the results per instance, comparing last year with this year.
| FOD Financiën | Privacy Commissie | e-Gov | CSAM | Social Security | Digiflow | eHealth Portaal | Biztax | DIBISS | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Date | Apr-15 | Apr-16 | Apr-15 | Apr-16 | Apr-15 | Apr-16 | Apr-15 | Apr-16 | Apr-15 | Apr-16 | Apr-15 | Apr-16 | Apr-15 | Apr-16 | Apr-15 | Apr-16 | Apr-15 | Apr-16 |
| Certificate | 70 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 |
| Protocol Support | 70 | 50 | 95 | 95 | 0 | 95 | 70 | 95 | 90 | 95 | 0 | 95 | 95 | 95 | 70 | 90 | 70 | 95 |
| Key Exchange | 80 | 95 | 90 | 90 | 90 | 90 | 90 | 90 | 90 | 90 | 90 | 90 | 80 | 90 | 90 | 90 | 90 | 90 |
| Cipher Strength | 90 | 95 | 80 | 90 | 90 | 90 | 90 | 90 | 90 | 90 | 90 | 90 | 90 | 90 | 90 | 90 | 90 | 90 |
| Score | B | C | B | A | F | A | C | A+ | C | A | F | A+ | A- | A+ | C | C | C | A+ |
The results are, overall, very positive. Most governmental website did indeed change their security configuration and are remarkably better secured. Last year, a great number of websites were vulnerable to POODLE, a known weakness in the SSL protocol (see this security whitepaper from Google researchers).
When counting all metric together per site, all sites scored better. Where we had 2 sites scoring the lowest score possible (F), the minimum score today is C. Furthermore, most sites can now be categorised as A-sites, meaning they have maximised their security configurations. Sites receiving the A+ grade received this exceptional grade because they only accept secure connections and will refuse insecure sessions.
However, when we zoom in on the final score received, we see two things that stand out. The FOD Financiën scored a lower grade this year (C) compared to last year (B). Also, Biztax is the only site that did not improve its score. What is going on?
- FOD Financiën: the server supports only older protocols, but not the current best TLS 1.2. As a result, the score is capped at C. Furthermore, the server does not support Forward Secrecy.
- Biztax: just like the FOD Financiën’s site, Forward Secrecy is not supported. But even worse, this site is vulnerable to the POODLE attack.
Conclusions
Citizens use the online services of the government and it’s the government who should guarantee a safe environment for its citizens to securely exchange sensitive information such as tax data or personal information.
The results of this research show the governmental instances have greatly improved their certificates and server configurations. Almost all sites that were compared score higher. While two out of the nine sites can still enhance their security efforts, there are also platforms who only accept secure connections and will even refuse insecure sessions.
While the results presented today should be positively received, the security landscape is changing heavily. New flaws in the current security protocols and configurations are being discovered frequently, which means that these sites should put effort into updating their systems to prevent compromised connections.
Thomas, I love your IT lovin’!