HTTPS-Strategy

GC HTTPSEverywhere
ITPIN 2018-01 Implementation Strategy Implementation Guidance Communication Material

Overview

The Government of Canada (GC)’s Strategic Plan for Information Management (IM) and Information Technology (IT) 2017-2021 charts the path forward for IM/IT from a whole-of-government or “enterprise” perspective. The Plan details strategic areas of focus (Service, Manage, Secure, and Community) that specify actions and activities that are underway or that represent new enterprise directions. Secure involves, among other things, protective measures to enable the secure processing and sharing of data and information across government. This includes protecting Canadians and their online transactions while interacting with the government. Unencrypted connections to publicly-available GC websites and web services are vulnerable to manipulation, impersonation, and can expose sensitive user information.

To provide Canadians with the strongest privacy and integrity protection regardless of the sensitivity of the information being transmitted, TBS will establish a “Hypertext Transfer Protocol Secure (HTTPS) everywhere” standard that will require departments and agencies to use the HTTPS protocol for external web-based connections to their services. The HTTPS protocol, along with approved encryption algorithms, will ensure the secure transmission of data online and the delivery of secure web services.

Purpose

This document outlines the considerations and activities for an enterprise-wide implementation of the HTTPS everywhere standard within the GC that will support the provision of secure and reliable web services to Canadians.

Audience

This guide is primarily for business owners, web developers, IT and IT security practitioners who are involved in implementing externally-facing GC online services.

Strategy Framework

The following table provides an overview of the framework for this strategy.

Element Description
Expected Outcome / Vision
  • Protection of GC online services from manipulation, impersonation, and exposure of sensitive user information
  • Increase trust and confidence from Canadians when accessing GC online services
  • Consistent protection of the GC network through proportional application of web security controls
Implementation Scope
  • The “HTTPS everywhere” standard is required for all external-facing GC websites within all Departments and Agencies, including future implementation of HSTS.
  • All internal-facing GC websites should also enforce HTTPS/HSTS where possible.
Goals
  1. Deliver on expectations established in the GC IT Strategic Plan to provide safe and secure access to GC online services.
  2. Departments and Agencies are supported by Central Agencies and Service Providers throughout their HTTPS everywhere transition.
  3. All externally-focused GC services with a web-based delivery channel operate via secure (HTTPS) connection only.
  4. Clear and consistent messaging across all communication platforms to both internal and external stakeholders.
Considerations

Technical Considerations: Threat Detection and Encrypted Traffic; Certificate Monitoring; Mixed Content / Compatibility; Automation; Reconfiguring / Reprogramming APIs; HSTS Preloading; and Mobile Traffic.

Management Considerations: Trust in Online Services; Security Return on Investment (ROI); Stakeholder Education; Testing; Costs.

Implementation and Support Requirements Successful execution of this implementation strategy will require:
  • Commitment from Lead Security Agencies (LSA) and supporting IT practitioners and Subject Matter Experts in development of guidance documents in support of GC implementation efforts;
  • Mechanisms to provide access to, and effective configuration of infrastructure required to support the Departments’ and Agencies’ implementation of an HTTPS everywhere standard across all external GC websites;
  • Effective governance in the development of a GC Certificate Strategy to support HTTPS everywhere implementation;
  • Performance measurement and analytics tools to facilitate the tracking and reporting of progress across the GC, and ensure ongoing visibility of the initiative across the management and user community;
  • Automation mechanisms to ensure effective and streamlined administration / management of encryption certificates; and
  • Formal and informal communications channels to engage internal and external stakeholders.



Suggested Action Plan for ITPIN Compliance

The following action plan is presented as guidance for project teams undertaking the implementation of HTTPS for a Department or Agency:

1. Identify key resources required to act as central point(s) of contact with TBS and the HTTPS Community of Practice. Establish connections via the GCTools channels at:


2. Perform an inventory of all departmental domains and subdomains. Sources of information include:

  • Internally available HTTPS Dashboard (insert link when available)
  • TBS Application Portfolio Management (APM)
  • Departmental business units


3. Provide an up-to-date list of all domain and sub-domains of the publicly-accessible websites and web services to the following website: Submit your institution's domains.

4. Perform an assessment of the domains and sub-domains to determine the status of the configuration. Tools available to support this activity includes GC HTTPS Dashboard, SSL Labs, Hardenize, etc.

5. Develop a prioritized implementation schedule for each of the affected websites and web services, following the recommended prioritization approach in the ITPIN:

  • 6.2.1 Newly developed websites and web services must adhere to this ITPIN upon launch.
  • 6.2.2 Websites and web services that involve an exchange of personal information or other sensitive information must receive priority following a risk-based approach, and migrate as soon as possible.
  • 6.2.3 All remaining websites and web services must be accessible through a secure connection, as outlined in Section 6.1, by September 30, 2019.


6. Engage the departmental IT group for implementation as appropriate.

  • Where necessary adjust IT Plans and budget estimates for the FY where work is expected.
  • It is recommended that SSC partners contact their SSC Service Delivery Manager to discuss the departmental action plan and required steps to submit a request for change.


7. Based on the assessment, and using the guidance available on GCpedia, the following activities may be required:

  • Obtain certificates from a GC-approved certificate source as outlined in the Recommendations for TLS Server Certificates for GC Public Facing Web Services
  • Obtain the configuration guidance for the appropriate endpoints (e.g. web server, network/security appliances, etc.) and implement recommended configurations to support HTTPS.


8. Perform another assessment of the applicable domains and sub-domains to confirm that the configuration has been updated and that HTTPS is enforced in accordance with ITPIN 2018-01.

Implementation Considerations



Performance Measurement

Measurement of the HTTPS everywhere initiative implementation is essential to ensure program success and lasting security of both GC organizations’ and citizen’s online transactions. Performance of the GC in compliance with the HTTPS everywhere initiative expectations will be measured by the following Key Performance Indicators (KPI):

  • Percent of externally-facing GC websites offering HTTPS connections
  • Percent of externally-facing GC websites that support HTTP Strict Transport Security
  • Percent of externally-facing GC websites that prefer strong symmetric cipher suites (128 bits+)
  • Percent of externally-facing GC websites that prefer the use of ephemeral keys (PFS)

While not mandatory, the following measurement can be applied to internal websites:

  • Percent of internally-facing GC websites and web services offering HTTPS connections

Compliance Monitoring

To monitor compliance to the standard and to measure the KPIs outlined above, the GC will monitor all of its domains for HTTPS support and also monitor how well each domain aligns with HTTPS best practices. The use of public-facing dashboards can help to promote transparency, and identify how well GC organizations are complying with the HTTPS everywhere mandate, in addition to establishing useful alerting and reporting capabilities. The US Government has adopted a similar approach with a publicly accessible dashboard at https://pulse.cio.gov/ [6].

Furthermore, providing tools to assess website configuration (and vulnerabilities), will help to ensure that GC departments and agencies maintain the security posture of their websites. Examples of implementations include the UK Government’s “WebCheck” [7]. Free tools such as Hardenize’s [8] have also been used by other governments like Sweden which makes its dashboard open to the public.

This scanning service should help departments and agencies in meeting their obligations to ensure that:

  • Data is protected both in transit and when presented in the user's web browser;
  • Web site is well engineered and modern technologies are in use to protect it, such as HTTP Strict Transport Security (HSTS) and a Content Security Policy (CSP);
  • Records of all certificates in use are maintained in a central inventory, providing access to Certificate Transparency data and clear attribution of chain certificates; and
  • Servers and their software are patched.

The use of continuous, distributed security analytics and infrastructure monitoring will support advanced awareness and automation, thus improving security of both the network and its users.

Enquiries

Email your questions to TBS Cyber Security at ZZTBSCYBERS@tbs-sct.gc.ca.