Ireland's government owned insecure websites

Impetus

Netflix streams video using https. Google and Wikipedia force users into https.

Google gives https websites a higher SEO ranking.

Yet dumb Irish gov owned sites such as aib.ie, gov.ie, dublincity.ie, corkcity.ie, corkairport.com, shannonairport.ie, anpost.ie, met.ie, and ultra dumb eircode.ie all start off browsing sessions in the clear. Leaving unencrypted cookies on the victim’s browser.

Why does dataprotection.ie allow this weakness in Irish online security to continue? Their website is TLS from the get go, so they must be aware of the issues….. yet they seem to do nothing to educate business and government users into the need for 100% TLS.

azzeretti

There's some argument against HTTPS everywhere. Why, for example, should browsing meteorological data be encrypted? Account, authentication and personal data, absolutely, but checking what time your local library open at?? Still, there are sites that should consider this but I'm not certain profiles are being built off users checking their water rates!

syklops

Presumably the OP has contacted the webmasters of the affected sites and brought this matter to their attention. Just like he did with Ryanair.

_Tombstone_

syklops wrote: »

Presumably the OP has contacted the webmasters of the affected sites and brought this matter to their attention. Just like he did with Ryanair.

You really need to drop the Ryanair thing ffs.

Joe Exotic

Impetus wrote: »

Netflix streams video using https. Google and Wikipedia force users into https.

Google gives https websites a higher SEO ranking.

Yet dumb Irish gov owned sites such as aib.ie, gov.ie, dublincity.ie, corkcity.ie, corkairport.com, shannonairport.ie, anpost.ie, met.ie, and ultra dumb eircode.ie all start off browsing sessions in the clear. Leaving unencrypted cookies on the victim’s browser.

Why does dataprotection.ie allow this weakness in Irish online security to continue? Their website is TLS from the get go, so they must be aware of the issues….. yet they seem to do nothing to educate business and government users into the need for 100% TLS.

Firstly none of these sites is operated directly by the government so to say they are government owned is inaccurate

for example the AIB site is owned by AIB and the governemnt is the majority shareholder.


Edit: the gov.ie website is govenment owned


It not the same thing

Secondly
Using https increases the load on the server and the ssl handshake in particular can be quite slow. so it can be argued that for non sensitive data it makes sense to use http

All those sites contain publicly available information in the main and as far as i could tell from a quick search use https when the information is sensitive.

Example the parcel tracker on the an post website.

https://track.anpost.ie/


As for identifying the site

HTTPS allows you to confirm the site you are visiting is really the one you are getting and it also prevents the injection of malicious content being injected, be it ads from an ISP or something more nefarious.

yes it does allow a site to use a certificate to inform you that you are at the correct website but https will not protect you from malicious advertising if the site has been compromised - only from a Man in the middle attack which seems unlikely in this format

LoLth

True. Bringing up something from nearly a year ago is a bit off.

Even if the thread isnt about Irish govt websites (and the thread topic is a bit on the sensationalist side imho) , and it isnt really, it is an interesting infosec topic.

Is TLS overkill in that not everything needs to be encrypted (and not everything should be encrypted!) or is there an alternative that provides the authentication without the encryption overhead?

Accessing public information or just general browsing should not require encryption imho but maybe the TLS handshake is enough to provide authentication and then leave the traffic in the clear. For encrypted traffic, the browser's "in-private" browsing may require TLS and encrypted traffic end to end.

_Tombstone_

Can Good Encryption be a Double-Edged Sword for Security?

http://www.cso.com.au/article/605219/can-good-encryption-double-edged-sword-security-australia/

_Tombstone_

LoLth wrote: »

True. Bringing up something from nearly a year ago is a bit off.

Even if the thread isnt about Irish govt websites (and the thread topic is a bit on the sensationalist side imho) , and it isnt really, it is an interesting infosec topic.

Is it that long!? Theirs been bad vibes in this forum since that thread. I'm surprised the OP bothers to contribute anymore.

Joe Exotic

bedlam wrote: »

I understand this, The two examples I gave were for injection over HTTP which HTTPS would prevent.

Malicious ads already being served by the site is a whole different topic

Didnt get to look at the links you provided till now (on my lunch break)

Both instances describe how a third party is injecting content into your packets, both however are specifically through access points you have chosen to connect to: one a commercial wifi hotspot (ads) and one a tor node(Which is encrypted already) - malware

You do raise an interesting point though im not sure the solution is https everywhere prob better not to use those specific services

2RockMountain

Impetus wrote: »

Why does dataprotection.ie allow this weakness in Irish online security to continue? Their website is TLS from the get go, so they must be aware of the issues….. yet they seem to do nothing to educate business and government users into the need for 100% TLS.

The Data Protection Commissioner is not a general IT security adviser for Government. Their specific functions are set out in law to regulate Data Protection law.