HTTPS Speaking Points

What is HTTPS?

• The Hypertext Transfer Protocol (HTTP) is the foundation for data communication on the web. This protocol defines how messages are formatted and transmitted, and what actions web servers and browsers should take in response to various commands.
• Hypertext Transfer Protocol Secure (HTTPS) combines HTTP with a security layer to protect user connections to websites. HTTPS guarantees the protection of the connection between two systems. It will not protect the system itself from being hacked or its information from being breached.

Background

• In June 2018, TBS issued an Information Technology Policy Implementation Notice (ITPIN) on Implementing Hypertext Transfer Protocol Secure (HTTPS) for Secure Web Connections on all publicly accessible websites and web services. The original compliance deadline was September 30, 2019; however, the deadline was recently extended to December 31, 2019. The extended deadline has been communicated to departments.

Current Status

• TBS is tracking compliance and will soon launch the compliance dashboard publicly. The compliance dashboard has been available to departments to track their compliance since August 2018.

What Should Communications Teams do?

• Section 6.2.1 of the ITPIN states that newly developed websites and web services must adhere to the ITPIN upon launch. Therefore, communications teams should include this requirement as part of the web publication process to ensure that new websites and web services are not published using unsecure connections.
• Section 6.2.2 of the ITPIN states that websites and web services that involve an exchange of personal information or other sensitive information must receive priority and migrate as soon as possible. Therefore, communications teams should identify these websites and develop a schedule for immediate migration to HTTPS
• Section 6.2.3 of the ITPIN states that all remaining websites and web services must be accessible through a secure connection by December 31, 2019. Therefore, communications teams should ensure that existing sites are being migrated leading up to the compliance deadline. For example, communications teams could ensure that when new content is published to existing sites, HTTPS is implemented at the same time to avoid the risk of new content being released on unsecured websites.

How to Increase Compliance

• To assist departments in meeting the requirements in the Policy Implementation Notice, TBS has provided departments with the following implementation guidance documents and tools:
  • Project guidance
  • HTTPS Everywhere on GCcollab wiki including:
    • Implementation Guidance
    • Implementation Strategy
  • HTTPS Everywhere on GCconnex and GCcollab
    • Regular blog posts
  • HTTPS Everywhere on GCmessage
• TBS has been running bi-weekly workshops since January 2019 to share information and provide technical guidance. TBS will continue to run monthly workshops until December 2019. We encourage departments to send their staff.
• TBS is continuing to work one-on-one with departments and agencies to address challenges to improve overall compliance to the ITPIN. If departments are facing challenges, they should contact the TBS Cyber Security Division (zzTBScybers@tbs-sct.gc.ca).

What Departments Need to do to be Compliant

• Departments must validate the list of domains on the compliance dashboard,
  • Contact the TBS Cyber Security mailbox with changes, as required (zzTBScybers@tbs-sct.gc.ca)
• If the department is one of the 43 departments that are Shared Services Canada partners, the department should contact their account executive and service delivery manager to initiate planning and implementation of HTTPS.
• Public domains must be configured to redirect users immediately to an HTTPS connection, after which they may then be redirected to pages on subsequent domains (e.g. Canada.ca).
• Public domains must provide instructions for users’ browsers to only connect to the HTTPS domains (i.e. HTTP Strict Transport Security (HSTS) must be enabled).
• Public domains must disable known weak connection protocols and encryption ciphers, in accordance Communication Security Establishment guidance (ITSP.40.062 and ITSP.40.111).
• Public domains must use HTTPS certificates issued from a Certificate Authority (e.g. Entrust via SSC).