GC HTTPS Implementation Considerations
The following section describes various considerations related to implementation of the HTTPS everywhere standard for the GC.
- Threat Detection and Encrypted Traffic – GC Organizations are concerned about how they will manage threat detection as more and more traffic flows become encrypted with HTTPS. While HTTPS provides user transmissions with privacy and security, it also presents a challenge for security personnel who are charged with ensuring that malicious content does not enter a GC organization’s IT infrastructure and that sensitive information does not leave it. Compensating website controls provide services the security required to maintain operations and user trust.
- Certificates - The biggest weakness of the current PKI system is the fact that any CA can issue a certificate for any website in the world. Large organizations with a vast array of certificates are at higher risk of compromise as a result of malicious or accidental certificate issuance by a Certificate Authority (CA). Appendix A includes considerations for sourcing SSL certificates. Further guidance on the types of certificates and certificate authorities (CA) that should be used will be further developed in a GC Certificate Strategy paper.
- Mixed Content / Compatibility - When a website originally written for HTTP is moved to HTTPS, until fully migrated, resources (e.g., images, scripts, and videos) will continue to cause mixed content warnings while these resources are still being served over an insecure HTTP connection. There are a number of mixed content implementation strategies that can used to reduce the likelihood of warnings and errors and are outlined in Appendix B.
- Automation – Specialized tools will be required to scan thousands of websites and services in order to obtain ongoing HTTP and HTTPS analytics. In addition to analytics, automation will aid in streamlining administrative processes in the management of web certificates. It has become best practice to apply automation in certificate renewal, ensuring users’ continued secure access to the service, and lower overhead in the management of systems. Automation may require consideration for multiple tiers of certificates, as not all are simple renewals.
- Reconfiguring/Reprogramming APIs – APIs must be configured to use HTTPS in order to help guarantee the confidentiality, authenticity, and integrity of the information being transmitted. Appendix C outlines API migration considerations.
- HSTS Preloading – Under HSTS, a user’s browser must receive instructions (“Use HTTPS”) from a website, before their browser will seek to connect securely via HTTPS - often via an unsecure HTTP connection. In order to proactively address this problem, browsers now include a list of preloaded domains that get HSTS enabled automatically, even prior to the first visit. Preloading of domains should be a final step of HTTPS migration, following a full analysis of sub-domain compatibility. (See https://hstspreload.org/).
- Mobile Traffic - Mobile device usage accounts for a significant percentage of end user traffic. Older devices may not be able to support modern encryption, standards, or protocols. Guidance must be developed addressing changing standards for secure web services with respect to current and legacy mobile platforms.
- Trust in Online Services – A broad implementation of HTTPS across external-facing websites will provide Canadians with confidence that the GC is taking steps to build a secure and trust-worthy platform for common use and information collection. Increased trust will support increased interaction and uptake by citizens. Further, default behaviour for external browsers such as Google Chrome will include marking HTTP websites as NOT SECURE which can negatively impact Canadians perception of GC online services.
- Security Return on Investment (ROI) - Implementing HTTPS alone will not eliminate malicious activity; however, it will reduce the likelihood of it from occurring. Further, enabling HTTPS will mitigate vulnerabilities with Hypertext Transfer Protocol (HTTP) connections which can be easily monitored, modified, and impersonated.
- Stakeholder Education - There will be resistance to moving to an HTTPS-only environment. Stakeholders will need to be informed about the benefits of moving to an HTTPS-only environment.
- Testing - Organizations should minimize business risk by testing their migration plan by moving a representative sample of internal systems and services to HTTPS and HSTS before migrating all of their public-facing systems.
- Costs - Migrating GC websites to HTTPS may have an impact on activities, as resources are required to support implementation activities. Cost for certificates should also be taken into consideration as part of the GC Certificate Strategy.