The Government of Canada (GC)’s Strategic Plan for Information Management (IM) and Information Technology (IT) 2017-2021 charts the path forward for IM/IT from a whole-of-government or “enterprise” perspective. The Plan details strategic areas of focus (Service, Manage, Secure, and Community) that specify actions and activities that are underway or that represent new enterprise directions. Secure involves, among other things, protective measures to enable the secure processing and sharing of data and information across government. This includes protecting Canadians and their online transactions while interacting with the government. Unencrypted connections to publicly-available GC websites and web services are vulnerable to manipulation, impersonation, and can expose sensitive user information.
To provide Canadians with the strongest privacy and integrity protection regardless of the sensitivity of the information being transmitted, TBS will establish a “Hypertext Transfer Protocol Secure (HTTPS) everywhere” standard that will require departments and agencies to use the HTTPS protocol for external web-based connections to their services. The HTTPS protocol, along with approved encryption algorithms, will ensure the secure transmission of data online and the delivery of secure web services.
This document outlines the considerations and activities for an enterprise-wide implementation of the HTTPS everywhere standard within the GC that will support the provision of secure and reliable web services to Canadians.
This guide is primarily for business owners, web developers, IT and IT security practitioners who are involved in implementing externally-facing GC online services.
The following table provides an overview of the framework for this strategy.
|Expected Outcome / Vision
- Protection of GC online services from manipulation, impersonation, and exposure of sensitive user information
- Increase trust and confidence from Canadians when accessing GC online services
- Consistent protection of the GC network through proportional application of web security controls
- The “HTTPS everywhere” standard is required for all external-facing GC websites within all Departments and Agencies, including future implementation of HSTS.
- All internal-facing GC websites should also enforce HTTPS/HSTS where possible.
- Deliver on expectations established in the GC IT Strategic Plan to provide safe and secure access to GC online services.
- Departments and Agencies are supported by Central Agencies and Service Providers throughout their HTTPS everywhere transition.
- All externally-focused GC services with a web-based delivery channel operate via secure (HTTPS) connection only.
- Clear and consistent messaging across all communication platforms to both internal and external stakeholders.
Technical Considerations: Threat Detection and Encrypted Traffic; Certificate Monitoring; Mixed Content / Compatibility; Automation; Reconfiguring / Reprogramming APIs; HSTS Preloading; and Mobile Traffic.
Management Considerations: Trust in Online Services; Security Return on Investment (ROI); Stakeholder Education; Testing; Costs.
|Implementation and Support Requirements
||Successful execution of this implementation strategy will require:
- Commitment from Lead Security Agencies (LSA) and supporting IT practitioners and Subject Matter Experts in development of guidance documents in support of GC implementation efforts;
- Mechanisms to provide access to, and effective configuration of infrastructure required to support the Departments’ and Agencies’ implementation of an HTTPS everywhere standard across all external GC websites;
- Effective governance in the development of a GC Certificate Strategy to support HTTPS everywhere implementation;
- Performance measurement and analytics tools to facilitate the tracking and reporting of progress across the GC, and ensure ongoing visibility of the initiative across the management and user community;
- Automation mechanisms to ensure effective and streamlined administration / management of encryption certificates; and
- Formal and informal communications channels to engage internal and external stakeholders.
Suggested Action Plan for ITPIN Compliance
The following action plan is presented as guidance for project teams undertaking the implementation of HTTPS for a Department or Agency:
1. Identify key resources required to act as central point(s) of contact with TBS and the HTTPS Community of Practice. Establish connections via the GCTools channels at:
2. Perform an inventory of all departmental domains and subdomains. Sources of information include:
- Internally available HTTPS Dashboard (insert link when available)
- TBS Application Portfolio Management (APM)
- Departmental business units
3. Provide an up-to-date list of all domain and sub-domains of the publicly-accessible websites and web services to the following website: Submit your institution's domains.
4. Perform an assessment of the domains and sub-domains to determine the status of the configuration. Tools available to support this activity includes GC HTTPS Dashboard, SSL Labs, Hardenize, etc.
5. Develop a prioritized implementation schedule for each of the affected websites and web services, following the recommended prioritization approach in the ITPIN:
- 6.2.1 Newly developed websites and web services must adhere to this ITPIN upon launch.
- 6.2.2 Websites and web services that involve an exchange of personal information or other sensitive information must receive priority following a risk-based approach, and migrate as soon as possible.
- 6.2.3 All remaining websites and web services must be accessible through a secure connection, as outlined in Section 6.1, by September 30, 2019.
6. Engage the departmental IT group for implementation as appropriate.
- Where necessary adjust IT Plans and budget estimates for the FY where work is expected.
- It is recommended that SSC partners contact their SSC Service Delivery Manager to discuss the departmental action plan and required steps to submit a request for change.
7. Based on the assessment, and using the guidance available on GCpedia, the following activities may be required:
- Obtain certificates from a GC-approved certificate source as outlined in the Recommendations for TLS Server Certificates for GC Public Facing Web Services
- Obtain the configuration guidance for the appropriate endpoints (e.g. web server, network/security appliances, etc.) and implement recommended configurations to support HTTPS.
8. Perform another assessment of the applicable domains and sub-domains to confirm that the configuration has been updated and that HTTPS is enforced in accordance with ITPIN 2018-01.
Click / cliquez:
The following section describes various considerations related to implementation of the HTTPS everywhere standard for the GC.
- Threat Detection and Encrypted Traffic – GC Organizations are concerned about how they will manage threat detection as more and more traffic flows become encrypted with HTTPS. While HTTPS provides user transmissions with privacy and security, it also presents a challenge for security personnel who are charged with ensuring that malicious content does not enter a GC organization’s IT infrastructure and that sensitive information does not leave it. Compensating website controls provide services the security required to maintain operations and user trust.
- Certificates - The biggest weakness of the current PKI system is the fact that any CA can issue a certificate for any website in the world. Large organizations with a vast array of certificates are at higher risk of compromise as a result of malicious or accidental certificate issuance by a Certificate Authority (CA). Appendix A includes considerations for sourcing SSL certificates. Further guidance on the types of certificates and certificate authorities (CA) that should be used will be further developed in a GC Certificate Strategy paper.
- Mixed Content / Compatibility - When a website originally written for HTTP is moved to HTTPS, until fully migrated, resources (e.g., images, scripts, and videos) will continue to cause mixed content warnings while these resources are still being served over an insecure HTTP connection. There are a number of mixed content implementation strategies that can used to reduce the likelihood of warnings and errors and are outlined in Appendix B.
- Automation – Specialized tools will be required to scan thousands of websites and services in order to obtain ongoing HTTP and HTTPS analytics. In addition to analytics, automation will aid in streamlining administrative processes in the management of web certificates. It has become best practice to apply automation in certificate renewal, ensuring users’ continued secure access to the service, and lower overhead in the management of systems. Automation may require consideration for multiple tiers of certificates, as not all are simple renewals.
- Reconfiguring/Reprogramming APIs – APIs must be configured to use HTTPS in order to help guarantee the confidentiality, authenticity, and integrity of the information being transmitted. Appendix C outlines API migration considerations.
- HSTS Preloading – Under HSTS, a user’s browser must receive instructions (“Use HTTPS”) from a website, before their browser will seek to connect securely via HTTPS - often via an unsecure HTTP connection. In order to proactively address this problem, browsers now include a list of preloaded domains that get HSTS enabled automatically, even prior to the first visit. Preloading of domains should be a final step of HTTPS migration, following a full analysis of sub-domain compatibility. (See https://hstspreload.org/).
- Mobile Traffic - Mobile device usage accounts for a significant percentage of end user traffic. Older devices may not be able to support modern encryption, standards, or protocols. Guidance must be developed addressing changing standards for secure web services with respect to current and legacy mobile platforms.
- Trust in Online Services – A broad implementation of HTTPS across external-facing websites will provide Canadians with confidence that the GC is taking steps to build a secure and trust-worthy platform for common use and information collection. Increased trust will support increased interaction and uptake by citizens. Further, default behaviour for external browsers such as Google Chrome will include marking HTTP websites as NOT SECURE which can negatively impact Canadians perception of GC online services.
- Security Return on Investment (ROI) - Implementing HTTPS alone will not eliminate malicious activity; however, it will reduce the likelihood of it from occurring. Further, enabling HTTPS will mitigate vulnerabilities with Hypertext Transfer Protocol (HTTP) connections which can be easily monitored, modified, and impersonated.
- Stakeholder Education - There will be resistance to moving to an HTTPS-only environment. Stakeholders will need to be informed about the benefits of moving to an HTTPS-only environment.
- Testing - Organizations should minimize business risk by testing their migration plan by moving a representative sample of internal systems and services to HTTPS and HSTS before migrating all of their public-facing systems.
- Costs - Migrating GC websites to HTTPS may have an impact on activities, as resources are required to support implementation activities. Cost for certificates should also be taken into consideration as part of the GC Certificate Strategy.
Measurement of the HTTPS everywhere initiative implementation is essential to ensure program success and lasting security of both GC organizations’ and citizen’s online transactions. Performance of the GC in compliance with the HTTPS everywhere initiative expectations will be measured by the following Key Performance Indicators (KPI):
- Percent of externally-facing GC websites offering HTTPS connections
- Percent of externally-facing GC websites that support HTTP Strict Transport Security
- Percent of externally-facing GC websites that prefer strong symmetric cipher suites (128 bits+)
- Percent of externally-facing GC websites that prefer the use of ephemeral keys (PFS)
While not mandatory, the following measurement can be applied to internal websites:
- Percent of internally-facing GC websites and web services offering HTTPS connections
To monitor compliance to the standard and to measure the KPIs outlined above, the GC will monitor all of its domains for HTTPS support and also monitor how well each domain aligns with HTTPS best practices. The use of public-facing dashboards can help to promote transparency, and identify how well GC organizations are complying with the HTTPS everywhere mandate, in addition to establishing useful alerting and reporting capabilities. The US Government has adopted a similar approach with a publicly accessible dashboard at https://pulse.cio.gov/ .
Furthermore, providing tools to assess website configuration (and vulnerabilities), will help to ensure that GC departments and agencies maintain the security posture of their websites. Examples of implementations include the UK Government’s “WebCheck” . Free tools such as Hardenize’s  have also been used by other governments like Sweden which makes its dashboard open to the public.
This scanning service should help departments and agencies in meeting their obligations to ensure that:
- Data is protected both in transit and when presented in the user's web browser;
- Web site is well engineered and modern technologies are in use to protect it, such as HTTP Strict Transport Security (HSTS) and a Content Security Policy (CSP);
- Records of all certificates in use are maintained in a central inventory, providing access to Certificate Transparency data and clear attribution of chain certificates; and
- Servers and their software are patched.
The use of continuous, distributed security analytics and infrastructure monitoring will support advanced awareness and automation, thus improving security of both the network and its users.
Email your questions to TBS Cyber Security at ZZTBSCYBERS@tbs-sct.gc.ca.