A Security Audit of Australian Government Websites
Total Page:16
File Type:pdf, Size:1020Kb
A Security Audit of Australian Government Websites Dali Kaafar, Gioacchino Tangari, Muhammad Ikram Optus Macquarie University Cyber Security Hub Abstract This document presents a security analysis of the Australian government websites (Both federal and state-level), with a focus on the adoption of the encrypted communication protocol, HTTPS, the security level of its implementation and configuration in government websites, as well as the security of the websites resources loading from external parties. What HTTPS does: HTTPS protects the integrity and confidentiality of data between the user’s computer and the website by preventing information from being read or altered while in transit. It also provides authentication mechanisms that prevent unknown or untrusted websites from masquerading as the intended website (e.g., a government website or service), ensuring that the other end of the channel is the one the user intends to communicate with. Dataset: We extracted the list of government websites, both for the federal government and for the state/territory governments, from public directories as reported in [–, , , , , , ] and retained websites that are hosted under the .gov.au domain space. Overall, we analysed a set of websites, of which belong to the federal government departments and belong to state/territory governments. Methodology: Our analysis relies on extensive security audits performed on both Australian federal government websites (in , , and ) and Australian state/territory government websites (in ). We conduct the analysis in three main steps: (i) we assess the extent to which websites belonging to Australian government institutions enable secure data transmission by adopting HTTPS for their websites; (ii) we test HTTPS server configurations for each website using state-of-the-art diagnostic tools, and provide government websites with a security rating score from to stars; and (iii) we investigate additional issues in the webpage resources loading: the inclusion of outdated, vulnerable JavaScript code, and the presence of weak links in the chains of downloaded web resources. Results: Our analysis of the security of the Australian government websites reveals that: • % of the Australian federal government websites currently adopt HTTPS. The fraction of HTTPS websites has substantially increased over the last two years, from % in September to % in November and % in August . However, the fraction of Australian government websites that do not adopt HTTPS is still significant (≈%), as of August . • Some specific federal government departments-owned webpages are of particular concern. For example, .% of the websites belonging to the Australian Department of Health and .% of the Department of Environment and Energy still use plaintext (non-encrypted) HTTP. • Our analysis of the state/territory governments websites also revealed major HTTPS (non) adoption concerns. We find that % of state/territory governments webpages still do not support HTTPS; the fraction goes up to % in the case of Tasmanian state government. Only in the case of Northern Territory government, all analysed websites use HTTPS. • Our measurements of the HTTPS configuration and implementation vulnerabilities reveal both light and shadow. While the majority of the HTTPS-enabled Australian government websites (≈ %) offer exceptional HTTPS configuration settings as of August , with strong commercial security guarantees (Rated Stars) and adequate server security with only minor potential issues with old/obsolete client browsers and operative systems (Rated Stars), % currently exhibit very low security guarantees, with possible exploitable vulnerabilities, misconfigurations or the use of insecure cryptographic protocols. • The overall HTTPS server security has significantly improved over the last two years evolving from % of the websites rated Star back in , due to major (exploitable) server misconfigurations, to % in November and then “only” . % (for federal government) and .% (for state/territory governments) in August . • Amongst the weakly secured HTTPS websites, we mainly detected weaknesses in cryptographic mechanisms (e.g., use of weak ciphers), support of vulnerable protocols (e.g., SSL), and “untrusted” certificates not allowing for correct server-identity validation. Current HTTPS server security is particularly concerning for a number of Australian state/territory governments such as Northern Territory, for which % of the analysed websites have resulted in at least one misconfigured HTTPS certificate and received a Star security rating. • The majority of the Australian government websites incorporate vulnerable resources in their webpages. In particular, at least % of federal government webpages and more than % of state/territory government webpages include at least one outdated or deprecated JavaScript library with publicly known vulnerabilities. For example, by embedding an old version of JQueryUI library, almost % of Australian government websites are exposed to a high-severity Cross-Site Scripting (XSS) vulnerability, which could be exploited by attackers to inject malicious code in the webpage. Introduction Data confidentiality and content integrity in end-to-end communications are critical features of today’s online Web services. Being the cryptographic foundation of the Web, the Hyper Text Transfer Protocol Secure (HTTPS) [] leverage Transport Layer Security (TLS) [] protocol to ensures that webpages are secure against external entities eavesdropping or altering Internet content. While HTTPS adoption is becoming the norm across the wider Web with many of the largest websites having transitioned to serve content only via HTTPS [], several technical challenges (errors and complications in HTTPS adoption), if not addressed, may lead to poor protection against adversaries targeting visitors of websites and low standards of the deployment of HTTPS which in turn creates security vulnerabilities to be exploited by cybercriminals. This is particularly true for government websites whose content is highly sensitive and that citizens are expecting to hold the highest level of security requirements. In , the Executive office of the U.S President issued a memorandum for the heads of the U.S executive departments and Agencies that requires that all publicly accessible federal websites and web applications provide services only through a secure connection. Memorandum reads “The strongest privacy and integrity protection currently available for public web connections [being] Hypertext Transfer Protocol Secure (HTTPS).” In this document, we perform a comprehensive security and vulnerability analysis of Australian federal (in , , and ) and state/territory (in ) government websites. We leverage Qualys SSL Labs tool [] and custom-built scripts to assess the extent to which Australian government institutions enable secure data transmission by adopting HTTPS for their websites. We also investigate HTTPS server configurations for each website using state-of-the-art diagnostic tools, and provide government websites with a security score from to stars. Besides, we illuminate on additional issues in the resource loading [ ] of websites including the insertion of outdated, vulnerable JavaScript code and the presence of weak links in the chains of downloaded web resources. Our analysis reveals that most of (but not all) Australian government websites currently provide adequate security guarantees. More than % of the analysed websites adopt HTTPS, and almost % of the HTTPS-enabled websites provide strong or adequate security by adopting robust server configurations. Overall, we find that the security of Australian government websites has improved over the last few years: back in , only % of websites were HTTPS-enabled, and more than % of the analysed HTTPS servers presented insecure configurations. Our security audit also reveal several gaps and pitfalls in the current security of Australian government websites. First, several federal government departments and states/territories governments are still far from full HTTPS adoptions. For example, % of Tasmanian government websites and .% of (federal) Department of Health websites were still not HTTPS-enabled in August . Second, a non-negligible fraction of HTTPS-enabled websites (e.g., . % for federal government) present insecure HTTPS server configurations, due to sub-optimal or weak cryptographic mechanisms, support of vulnerable protocols, or certificate trust issues. Such episodes may place client information at risk of being intercepted and obtained by a malicious agent (despite the use of HTTPS). Third, the majority of Australian government webpages embed vulnerable resources, especially outdated front-end JavaScript libraries with publicly known vulnerabilities, which could be exploited by attackers to inject malicious code in the webpages. The rest of this document is organised as follows: Section provides background information on HTTP and HTTPS protocols. Section describes the analysed sets of Australian government websites and it presents our analysis methodology. In Section , we evaluate the adoption of HTTPS in Australian government websites over the - period, and for both federal and state/territory webpages. In Section , we investigate HTTPS https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda//m--.pdf servers’ configurations and we provide a security score for Australian government websites. Lastly, Section presents additional vulnerabilities found in the analysed webpages, and Section