Insecure Irish government websites

Impetus

gov.ie shows little respect for users by publishing in http rather than https mode.

Non https sites encourage man in the middle attacks and malware injection, snooping, and other security issues.

Google is planing to flag all such sites as insecure in the near future. Not before time.

https://www.siliconrepublic.com/enterprise/google-chrome-http-unsecured-sites

Every major site on the planet uses https - google, NY times, wiki, virtually every newspaper and government site in the world, not to mention virtually every private corporation and charity. Even otherwise incompetent airlines such as Ryanair and Aer Lingus have to some extent, got the message (though far from 100%).

Aside from ejit Ireland's core gov website, which remains http. Not unlike its health "service", appalling road signage and public transport etc etc.

I'm going to ask a question I already know the answer to, have you reported the individual sites to their admins?

Impetus

Deleted User wrote: »

I'm going to ask a question I already know the answer to, have you reported the individual sites to their admins?

I shouldn't have to report anything. If the operators of the site knew anything about current security standards it would be https.

This morning's media have stories on the US and GB government websites being hit by malware (coin mining - but who knows they could be crawling with all sorts of things). This non-https is indicative of the quality of government computer security. I would guess it is probably as bad as the Irish gov 'health service'.

https://www.theguardian.com/technology/2018/feb/11/government-websites-hit-by-cryptocurrency-mining-malware

jmcc

Impetus wrote: »

I shouldn't have to report anything. If the operators of the site knew anything about current security standards it would be https.

HTTPS is no use if the server is insecure. The Google FUDbuddies in the media and SEO business have been pushing the whole HTTPS angle for a few years now as a kind of solution for all problems. Google's FUDbuddies, the technology journalists, generally haven't a clue about security or coding as most of them do not have a technology-based background.

This morning's media have stories on the US and GB government websites being hit by malware (coin mining - but who knows they could be crawling with all sorts of things). This non-https is indicative of the quality of government computer security. I would guess it is probably as bad as the Irish gov 'health service'.

Do some reading on what happened. It was a compromise of a US based service, Browsealoud, which caused the problem rather than a compromise of the Irish, and other, websites.

The reason you would guess is because you haven't any facts or data. The percentage of compromised websites in the Irish webscape due to defacements and compromised plug-ins is generally around 1% and it spikes when there's a new exploit. The majority of websites are on shared hosting and their owners treat them like brochureware so a compromised site can go for months, or years, before being fixed. Sites that have been compromised for phishing are generally secured quickly because they are more likely to be reported.

Regards...jmcc

LoLth

Impetus wrote: »

I shouldn't have to report anything.

for someone so easily outraged at perceived inept security practices you're not really all that motivated to actually help. No you shouldn't *have* to report an issue, they should have spotted it themselves but maybe bringing an issue to their attention would be helpful (as long as you report it in a helpful manner and don't just go off on one I would imagine the IT staff responsible would be happy to hear from you)

also, if a site is static and there is no secure data input required then they probably (rightly or wrongly) feel https to be unnecessary. Are any of the pages after gov.ie https protected? gov.ie is mainly just a hub that leads on to other https protected departmental sites (though I do see that comreg.ie is not https and it has a search function on the landing page).

would https have protected any site against browsealoud or would it just have lulled end users into believing a false sense of security?