A Security Audit of Australian Government Websites

Introduction – A Security Audit of Australian Government Websites

Data confidentiality and content integrity in end-to-end communications are critical features of today’s online Web services. Being the cryptographic foundation of the Web, the Hyper Text Transfer Protocol Secure (HTTPS) leverage Transport Layer Security (TLS) protocol to ensures that webpages are secure against external entities eavesdropping or altering Internet content. While HTTPS adoption is becoming the norm across the wider Web with many of the largest websites having transitioned to serve content only via HTTPS, several technical challenges (errors and complications in HTTPS adoption), if not addressed, may lead to poor protection against adversaries targeting visitors of websites and low standards of the deployment of HTTPS which in turn creates security vulnerabilities to be exploited by cybercriminals. This is particularly true for government websites whose content is highly sensitive and that citizens are expecting to hold the highest level of security requirements. In 2015, the Executive office of the U.S President issued a memorandum_ for the heads of the U.S executive departments and Agencies that requires that all publicly accessible federal websites and web applications provide services only through a secure connection. Memorandum reads “The strongest privacy and integrity protection currently available for public web connections [being] Hypertext Transfer Protocol Secure (HTTPS).”

In this document, we perform a comprehensive security and vulnerability analysis of Australian federal (in 2018, 2019, and 2020) and state/territory (in 2020) government websites. We leverage Qualys SSL Labs tool and custom-built scripts to assess the extent to which Australian government institutions enable secure data transmission by adopting HTTPS for their websites. We also investigate HTTPS server configurations for each website using state-of-the-art diagnostic tools, and provide government websites with a security score from 1 to 5 stars. Besides, we illuminate on additional issues in the resource loading of websites including the insertion of outdated, vulnerable JavaScript code and the presence of weak links in the chains of downloaded web resources.

Our analysis reveals that most of (but not all) Australian government websites currently provide adequate security guarantees. More than 80% of the analysed websites adopt HTTPS, and almost 90% of the HTTPS-enabled websites provide strong or adequate security by adopting robust server configurations. Overall, we find that the security of Australian government websites has improved over the last few years: back in 2018, only 36% of websites were HTTPS-enabled, and more than 70% of the analysed HTTPS servers presented insecure configurations.

Our security audit also reveal several gaps and pitfalls in the current security of Australian government websites. First, several federal government departments and states/territories governments are still far from full HTTPS adoptions. For example, 25% of Tasmanian government websites and 34.5% of (federal) Department of Health websites were still not HTTPS-enabled in August 2020. Second, a non-negligible fraction of HTTPS-enabled websites (e.g., 3.9% for federal government) present insecure HTTPS server configurations, due to sub-optimal or weak cryptographic mechanisms, support of vulnerable protocols, or certificate trust issues. Such episodes may place client information at risk of being intercepted and obtained by a malicious agent (despite the use of HTTPS). Third, the majority of Australian government webpages embed vulnerable resources, especially outdated front-end JavaScript libraries with publicly known vulnerabilities, which could be exploited by attackers to inject malicious code in the webpages.

The rest of this document is organised as follows: Section 2 provides background information on HTTP and HTTPS protocols. Section 3 describes the analysed sets of Australian government websites and it presents our analysis methodology. In Section 4, we evaluate the adoption of HTTPS in Australian government websites over the 2018-2020 period, and for both federal and state/territory webpages. In Section 5, we investigate HTTPS servers’  onfigurations and we provide a security score for Australian government websites. Lastly, Section 6 presents additional vulnerabilities found in the analysed webpages, and Section 7 provides concluding remarks.