Difference between revisions of "GC HTTPS Everywhere/Communication Material"

Communication Plan

Regular and consistent communication across the diverse stakeholder community will be important in achieving HTTPS everywhere compliance within each GC organization. A clear communications strategy will also reduce the likelihood of stakeholder resistance to an HTTPS everywhere migration.

The following proposes the essential communications actions required for successful implementation of GC HTTPS:

1. Utilize both formal and informal communications channels as conduits for information flow.
2. Establish a brand to be used in project planning and execution, to provide a common anchor for communications and conversation with stakeholders, industry and citizens.
3. Establish clear communication channels throughout the GC for senior leadership as champions of the HTTPS everywhere initiative.
4. Develop technical guidance / briefing material in the form of an ITPIN for CIOs and IT teams across the GC outlining expectations and timelines.
5. Coordinate with service owners to establish media lines to announce the change to GC websites and services, informing citizens of the impact and future requirements.
6. Utilize GC Tools and public social media platforms to establish a forum for Q&A discussion with service and technology owners, and industry specialists.
7. Develop guidance / briefing material for business owners across the GC with respect to the importance of the changes and expected impact on their services.
8. Develop effective strategies to engage with remote teams across the GC (both governance and information sharing).

Q&A Scenarios

This material is provided as a starting point for discussions with business and technical partners depending on the scenario/context presented. If there are other areas that need to be covered, please contact TBS via the mailbox (below) or engage in the chat on GCmessage (#HTTPSEverywhere-HTTPSpartout).

My Site Is Only Accessible Internally

The HTTPS ITPIN is only applicable to externally focused public websites and web services. Your site is out of scope of this direction, however you are still recommended to consider implementing HTTPS.

Can I Still Serve My Site Over HTTP If I Also Have HTTPS?

No, all publicly available websites should only offer HTTPS connections by September 30, 2019. Any HTTP connections should be permanently redirected to the HTTPS website.

My Website Works Just Fine Over HTTP

Not anymore. As of July 2018, Google Chrome will begin alerting all HTTP connections as Not Secure, with other major browsers potentially following suit. This issue presents a new reputational risk to digital services.

No Forms or Information Collected

HTTPS protects more than just form data. HTTPS keeps the URLs, headers, and contents of all transferred pages confidential.

There is Nothing Sensitive on My Site

Cyberspace is borderless, and HTTP connections are simply a liability. Just as we have no control over detours on surface roads, we have no control over the route traffic will take through the internet.

This lack of control introduces opportunities to inject text, scripts, images, or ad content onto your page so that it looks like you put them there. HTTPS prevents this activity, and guarantees content integrity and the ability to detect tampering.

Additionally, if we encrypt only sensitive content, then we automatically paint a target on that content. Keep your secrets secret by encrypting everything.

HTTPS Is Going To Slow Down My Website – Encryption Is CPU Intensive

No it's not. Sites with modern servers load faster over HTTPS than over HTTP because of HTTP/2. Over 75% of the world’s websites are now HTTPS, including the largest banks, social media sites.

Latency metrics provided by them over time have proven that properly implemented HTTPS is faster than HTTP. https://istlsfastyet.com/

My Site Is HTTP, But Our Forms Are Submitted Over HTTPS

A site using HTTP is susceptible to interception and manipulation, meaning you lose control over the actions associated with the forms you present to your users, regardless of how they’re submitted.

Attackers are provided the chance to modify how/where the data is submitted, and there's no way to detect this because it happens over the wire with plain HTTP.

Encrypting your whole site with HTTPS from the start prevents this.

Certificates Are Expensive - I Don’t Have The Budget This Year.

They're free. (Let’s Encrypt)

I Don’t Have The Skillsets Or Resources To Support HTTPS

HTTPS doesn’t have to be complicated; many web servers such as Caddy are designed to be run natively with HTTPS as default now, and server configuration generators are available from organizations like Mozilla. Certificate management has been made exponentially easier with the introduction of automation for renewals.

My Site Can Still Be Impersonated, Even If I Use HTTPS

The dangers presented by impersonation online are greatly mitigated by the use of HTTPS and a properly issued certificate (one logged in certificate transparency (CT) logs, with a strong signature algorithm (at least SHA-256), from an authorized CA (CAA)).

As long as your server is secured, and your private key remains private, any mismatched certificate will be flagged by browsers as such, or invalid, resulting in a Not Secure alert to the user. Internal processes reviewing CT logs for mis-issued certs will catch illegitimate certificates.

Finally, if the impersonator doesn’t use HTTPS at all, browsers will alert the malicious site as insecure immediately.

Domain-Validated (DV) Certificates Aren't Secure

Domain Validated certificates offer the same technical security as Extended Validation (EV) certificates, and it has been shown increasingly that the promised value of EV certs has not been realized.

As long as you don’t lose control of your DNS entries or domain hosting, and choose a competent certificate authority, DV certs are perfectly acceptable. There is absolutely no difference in the cryptography in a DV certificate compared to that of an extended validation (EV) certificate.

What If A Certificate Authority Misissues A Cert For My Site?

The GC is working to establish governance around the issuance of certificates through the use of CAA records to restrict which CAs can issue certificates for website. Until that time, the system will rely on certificate transparency and oversight to manage the infrastructure.

Phishing Sites Use HTTPS

Yes, they do, but this isn’t a good reason not to use HTTPS.

Our Site Relies Heavily On 3rd Party Content Over HTTP

The inclusion of HTTP content from a 3rd party provider is a proven vector for attack, as you do not have control over the security of that content. Moving to HTTPS means any content included in your website should be from HTTPS-enabled sources, to avoid both mixed-content errors and the inherent vulnerabilities it presents.

As this may require renegotiation or termination of contracts with content providers, it is recommended to begin sooner rather than later, or convince your content providers to move to HTTPS as well.

HTTPS Impacts Search Engine Optimization

HTTPS improves SEO!

It is true that switching and redirecting site URLs incorrectly may impact your search rankings, but overall HTTPS has been taken into consideration to actually improve rankings.

Ensure you follow the guidance of the search engine you're optimizing for, and everything will be fine.

Adapted from: https://doesmysiteneedhttps.com/

Enquiries

Feel free to join the conversation on GCmessage (#HTTPSEverywhere-HTTPSpartout), or email your questions to TBS Cyber Security at ZZTBSCYBERS@tbs-sct.gc.ca.