The Dutch Minister of Home Affairs is satisfied with security on the Dutch government’s websites, he said in response to parliamentary questions. The questions followed the launch of the Dutch version of Pulse and the first test that showed that over half of the government sites don’t use secure connections.
With Pulse a total of 1,816 government sites were tested on the use of HTTPS. It found that over half of them don’t make use of the standard HTTPS secure connection.
Confusion
In response to parliamentary questions, the Minister said that many Dutch government websites only provide information and do not ask for personal details. Although the minister acknowledged that the security of government websites is important he did not find it necessary to make an HTTPS-only standard obligatory, even though it would eliminate inconsistent, subjective determinations across governments regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide.
Government domains
The Dutch Minister of Home Affairs replied to the questions by noting that the government tests every six months some 152 government websites with another testtool, even though Open State Foundation tested a total of 1,816 domainnames, using domainnames from the government’s own Website domain register, an open dataset with domainnames of common arrangements and the list of municipal domainnames of the Dutch Association of Municipalities.
Agreements
Earlier in 2016 in national meetings about the Dutch Digital Government it was agreed that HTTPS would only be necessary on sites where ‘sensitive’ information such as personal or financial information is exchanged. Government sites that do so need to implement TLS and HTTPS before the end of 2017.
HTTPS verifies the identity of a website or web service for a connecting client, and encrypts nearly all information sent between the website or service and the user. When properly configured, HTTPS can provide a fast, secure connection that offers the level of privacy and reliability that users should expect from government web services.
Open State Foundation prefers the government to adopt a HTTPS-only standard. Every unencrypted HTTP request reveals information about a user’s behavior. This year, Open State Foundation will periodically test government sites on HTTPS implementation and configuration using Pulse.
Update: on January 18th 2017 minister Ronald Plasterk announced that he wants government websites to be required to use a secure connection.