Although the number of Dutch government websites with HTTPS connection increased this quarter by 18%, half of all government websites do not support HTTPS. This shows a new measure done by Open State Foundation with Pulse.
Of the 1,843 investigated domains 52% now supports HTTPS which ensures that the web site traffic is encrypted. In December 2016, only 44% of a total of 1,816 Dutch government domains supported HTTPS. Of the 961 government sites with HTTPS connection now, 90 domains are not configured correctly. This means that visitors are still at risk in 53% of all government sites. For instance, although the websites of the municipalities of Delft, Sluis, Oegstgeest, Purmerend, Rijswijk, Schouwen-Duiveland and Vlaardingen support HTTPS, it is not configured correctly. In December, last year were the 796 government sites with an HTTPS connection 108 websites not configured correctly.
Late 2016, Open State Foundation launched the online dashboard Pulse (pulse.openstate.eu) that allows users to see if a Dutch government website supports a secure HTTPS connection and how strong their implementation is. Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. It means all communications between your browser and the website are encrypted. Additionally, HTTPS verifies the integrity of the information so that adjustment of the data exchanged is not possible and it is made sure by checking the identity of the server that the website the website is the right website and website visitors are not diverted to another website.
Growth with water boards, municipalities and provinces
The increase in the number of government websites with HTTPS connection is especially visible in the water boards’ websites (from 40.9% in December to 76.1% in March), provinces (from 7 to 10 out of 12 provinces) and municipalities (of 59% to 72%). The percentage of government websites with HTTPS connection of ministries increased from (54.9% to 60.9%).
What is striking is that although the websites of several Dutch embassies have now an HTTPS connection, it is not enforced and HSTS is off. That is certainly the case with the websites of the Embassy of Afghanistan, China, Egypt and Sudan. The Dutch embassy in Saudi Arabia website has a secure connection except the HTTPS takes visitors back to an unsecure HTTP site.
In January, Minister of Interior Ronald Plasterk said that he wants to establish a legal obligation to use HTTPS for all government sites. In response to questions from the Dutch parliament he had previously said that he believed the security of Dutch government websites was sufficient. Security experts say, however, that it is always better to use HTTPS even if no personal information is transmitted.
“Enforcing HTTPS is an important standard for government websites,” says Arjan El Fassed, director of Open State Foundation that pursues digital transparency. “With Pulse, we have shown that with a simple dashboard using open data we can bring governments to change their policies and take internet security seriously.”
After the Dutch Tax Authority did its own research after Open State Foundation’s launch of Pulse, it announced that it has made all its publication flows, tens of thousands of webpages, secure. However, with Pulse we can see that the Tax Authority forgot the website of the Tax Department / Caribbean Netherlands forgetting website.
The Dutch Standardisation Forum recently finalised an advice in response to Pulse and the increasing call to support HTTPS for all government sites. HTTPS and HSTS are on the list of the standards with status “recommended” but now the Forum recommends to move the standards recommended for ‘mandatory’.