GC HTTPS Compliance Checklist
Required Actions
Departments are required to:
- Ensure implementation of HTTPS meets the secure connection standard:
- All connection endpoints (servers, load balancers, proxies, etc) are configured to offer TLS 1.2 alone;
- All web servers support HSTS;
- Any remaining SHA-1 certificates are immediately replaced with SHA-256 certificates from a GC trusted Certificate Authority (CA);
- SSLv2, SSLv3, TLS 1.0, and TLS 1.1 protocols are disabled on all connection endpoints (servers, load balancers, proxies, etc);
- 3DES and RC4 ciphers are disabled on all connection endpoints (servers, load balancers, proxies, etc); and
- Any HTTP connections are automatically redirected to HTTPS, or disabled altogether.
- Newly developed websites and web services must adhere to this ITPIN upon launch.
- Websites and web services that involve an exchange of personal information or other sensitive information must receive priority following a risk-based approach, and migrate as soon as possible.
- All remaining websites and web services must be accessible through a secure connection, as outlined in Section 6.1, by December 31, 2019.
Departments should consider an HTTPS architecture that allows network security services to function, including web application firewalls (WAF) and network intrusion detection systems (NIDS), when traffic is encrypted. This will usually involve the placement of an SSL (TLS) offloading solution to decrypt HTTPS traffic, typically in the form of appliances or an onboard service on the existing appliances, in front of web servers; or the installation of software-based WAF or NIDS on the web servers where the traffic is decrypted for business processing.
It is recommended that departments should assess any existing SSL offload solution for capacity when applicable, or that they use centrally provided services such as those from Shared Services Canada if they do not have a solution capable of HTTPS inspection to monitor the security of their websites.
Note: The use of HTTPS is encouraged on intranets, but not explicitly required.
TBS Actions
TBS will:
- Collaborate with Communications Security Establishment (CSE), Shared Services Canada (SSC), and Canadian Digital Services (CDS) services for tracking and verifying progress;
- Establish automated tools to support compliance monitoring to the ITPIN; and
- Provide additional guidance through other engagements and products following the issuance of this ITPIN.