HTTPS Speaking Points

From wiki
Revision as of 10:22, 18 July 2019 by Tim.allardyce (talk | contribs) (Created page with "==Speaking Points for Implementing HTTPS== ===What is HTTPS?=== * The Hypertext Transfer Protocol (HTTP) is the foundation for data communication on the web. This protocol de...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Speaking Points for Implementing HTTPS

What is HTTPS?

  • The Hypertext Transfer Protocol (HTTP) is the foundation for data communication on the web. This protocol defines how messages are formatted and transmitted, and what actions web servers and browsers should take in response to various commands.
  • Hypertext Transfer Protocol Secure (HTTPS) combines HTTP with a security layer to protect user connections to websites. HTTPS guarantees the protection of the connection between two systems. It will not protect the system itself from being hacked or its information from being breached.

Background

Current Status

  • TBS is tracking compliance and will soon launch the compliance dashboard publicly. The compliance dashboard has been available to departments to track their compliance since August 2018.
  • Compliance rates remain low (24%) due to a number of factors including an outdated list of GC domains. TBS sent an email communique to all departments in January 2019 requesting departments validate their domain names; only 61% of departments have confirmed validation, which means that the remaining 39% of departments may have inaccurate data in the dashboard. It is important that all departments and agencies validate their domain list. Please see Annex A for a list of departments that have not validated their domain names.

What Should Communications Teams do?

  • Section 6.2.1 of the ITPIN states that newly developed websites and web services must adhere to the ITPIN upon launch. Therefore, communications teams should include this requirement as part of the web publication process to ensure that new websites and web services are not published using unsecure connections.
  • Section 6.2.2 of the ITPIN states that websites and web services that involve an exchange of personal information or other sensitive information must receive priority and migrate as soon as possible. Therefore, communications teams should identify these websites and develop a schedule for immediate migration to HTTPS
  • Section 6.2.3 of the ITPIN states that all remaining websites and web services must be accessible through a secure connection by December 31, 2019. Therefore, communications teams should ensure that existing sites are being migrated leading up to the compliance deadline. For example, communications teams could ensure that when new content is published to existing sites, HTTPS is implemented at the same time to avoid the risk of new content being released on unsecured websites.

How to Increase Compliance

What Departments Need to do to be Compliant

  • Departments must validate the list of domains on the compliance dashboard,
  • If the department is one of the 43 departments that are Shared Services Canada partners, the department should contact their account executive and service delivery manager to initiate planning and implementation of HTTPS.
  • Public domains must be configured to redirect users immediately to an HTTPS connection, after which they may then be redirected to pages on subsequent domains (e.g. Canada.ca).
  • Public domains must provide instructions for users’ browsers to only connect to the HTTPS domains (i.e. HTTP Strict Transport Security (HSTS) must be enabled).
  • Public domains must disable known weak connection protocols and encryption ciphers, in accordance Communication Security Establishment guidance (ITSP.40.062 and ITSP.40.111).
  • Public domains must use HTTPS certificates issued from a Certificate Authority (e.g. Entrust via SSC).