https://wiki.gccollab.ca/index.php?action=history&feed=atom&title=GC_HTTPS_Compliance_ChecklistGC HTTPS Compliance Checklist - Revision history2026-04-29T19:14:39ZRevision history for this page on the wikiMediaWiki 1.35.2https://wiki.gccollab.ca/index.php?title=GC_HTTPS_Compliance_Checklist&diff=20636&oldid=prevGreggory.elton: /* Required Actions */2020-03-30T12:47:56Z<p><span dir="auto"><span class="autocomment">Required Actions</span></span></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 12:47, 30 March 2020</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l3" >Line 3:</td>
<td colspan="2" class="diff-lineno">Line 3:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Departments are required to:</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Departments are required to:</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>#Ensure implementation of HTTPS meets the secure connection standard: </div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>#Ensure implementation of HTTPS meets the secure connection standard: </div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>##All connection endpoints (servers, load balancers, proxies, etc) are configured to offer TLS 1.2 <del class="diffchange diffchange-inline">alone</del>; </div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>##All connection endpoints (servers, load balancers, proxies, etc) are configured to offer TLS 1.2 <ins class="diffchange diffchange-inline">or above</ins>; </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>##All web servers support HSTS; </div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>##All web servers support HSTS; </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>##Any remaining SHA-1 certificates are immediately replaced with SHA-256 certificates from a GC trusted Certificate Authority (CA);</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>##Any remaining SHA-1 certificates are immediately replaced with SHA-256 certificates from a GC trusted Certificate Authority (CA);</div></td></tr>
</table>Greggory.eltonhttps://wiki.gccollab.ca/index.php?title=GC_HTTPS_Compliance_Checklist&diff=8949&oldid=prevTim.allardyce: /* Required Actions */2019-04-08T14:16:40Z<p><span dir="auto"><span class="autocomment">Required Actions</span></span></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 14:16, 8 April 2019</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l11" >Line 11:</td>
<td colspan="2" class="diff-lineno">Line 11:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Newly developed websites and web services must adhere to this ITPIN upon launch. </div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Newly developed websites and web services must adhere to this ITPIN upon launch. </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Websites and web services that involve an exchange of personal information or other sensitive information must receive priority following a risk-based approach, and migrate as soon as possible. </div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Websites and web services that involve an exchange of personal information or other sensitive information must receive priority following a risk-based approach, and migrate as soon as possible. </div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># All remaining websites and web services must be accessible through a secure connection, as outlined in Section 6.1, by <del class="diffchange diffchange-inline">September 30</del>, 2019.</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># All remaining websites and web services must be accessible through a secure connection, as outlined in Section 6.1, by <ins class="diffchange diffchange-inline">December 31</ins>, 2019.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><br></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><br></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Departments should consider an HTTPS architecture that allows network security services to function, including web application firewalls (WAF) and network intrusion detection systems (NIDS), when traffic is encrypted. This will usually involve the placement of an SSL (TLS) offloading solution to decrypt HTTPS traffic, typically in the form of appliances or an onboard service on the existing appliances, in front of web servers; or the installation of software-based WAF or NIDS on the web servers where the traffic is decrypted for business processing. </div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Departments should consider an HTTPS architecture that allows network security services to function, including web application firewalls (WAF) and network intrusion detection systems (NIDS), when traffic is encrypted. This will usually involve the placement of an SSL (TLS) offloading solution to decrypt HTTPS traffic, typically in the form of appliances or an onboard service on the existing appliances, in front of web servers; or the installation of software-based WAF or NIDS on the web servers where the traffic is decrypted for business processing. </div></td></tr>
</table>Tim.allardycehttps://wiki.gccollab.ca/index.php?title=GC_HTTPS_Compliance_Checklist&diff=5712&oldid=prevTim.allardyce: Created page with " == Required Actions == Departments are required to: #Ensure implementation of HTTPS meets the secure connection standard: ##All connection endpoints (servers, load balancers..."2018-10-23T17:28:50Z<p>Created page with " == Required Actions == Departments are required to: #Ensure implementation of HTTPS meets the secure connection standard: ##All connection endpoints (servers, load balancers..."</p>
<p><b>New page</b></p><div><br />
== Required Actions ==<br />
Departments are required to:<br />
#Ensure implementation of HTTPS meets the secure connection standard: <br />
##All connection endpoints (servers, load balancers, proxies, etc) are configured to offer TLS 1.2 alone; <br />
##All web servers support HSTS; <br />
##Any remaining SHA-1 certificates are immediately replaced with SHA-256 certificates from a GC trusted Certificate Authority (CA);<br />
##SSLv2, SSLv3, TLS 1.0, and TLS 1.1 protocols are disabled on all connection endpoints (servers, load balancers, proxies, etc); <br />
##3DES and RC4 ciphers are disabled on all connection endpoints (servers, load balancers, proxies, etc); and<br />
##Any HTTP connections are automatically redirected to HTTPS, or disabled altogether.<br />
# Newly developed websites and web services must adhere to this ITPIN upon launch. <br />
# Websites and web services that involve an exchange of personal information or other sensitive information must receive priority following a risk-based approach, and migrate as soon as possible. <br />
# All remaining websites and web services must be accessible through a secure connection, as outlined in Section 6.1, by September 30, 2019.<br />
<br><br />
Departments should consider an HTTPS architecture that allows network security services to function, including web application firewalls (WAF) and network intrusion detection systems (NIDS), when traffic is encrypted. This will usually involve the placement of an SSL (TLS) offloading solution to decrypt HTTPS traffic, typically in the form of appliances or an onboard service on the existing appliances, in front of web servers; or the installation of software-based WAF or NIDS on the web servers where the traffic is decrypted for business processing. <br />
<br><br><br />
It is recommended that departments should assess any existing SSL offload solution for capacity when applicable, or that they use centrally provided services such as those from Shared Services Canada if they do not have a solution capable of HTTPS inspection to monitor the security of their websites.<br />
<br><br><br />
''Note:'' The use of HTTPS is encouraged on intranets, but not explicitly required.<br />
<br />
== TBS Actions == <br />
TBS will:<br />
* Collaborate with Communications Security Establishment (CSE), Shared Services Canada (SSC), and Canadian Digital Services (CDS) services for tracking and verifying progress; <br />
* Establish automated tools to support compliance monitoring to the ITPIN; and <br />
* Provide additional guidance through other engagements and products following the issuance of this ITPIN.</div>Tim.allardyce