Google Chrome, the most widely used Internet browser, has officially started warning users that unencrypted Web pages are “not secure.” Among those “not secure,” as of Aug. 9: The front pages of the official government websites for 14 states and four of the nation’s 10 most populous cities.
Encryption — most easily represented with an “HTTPS” rather than “HTTP” in front of a site’s Web address — is the practice of encoding data traveling between a website and its visitor so that any third parties who are able to peek into the data don’t know what’s happening. With encryption, users can reasonably expect that their connection is private. Without it, bad actors can do things like steal information and change a Web page’s content without the user realizing it.
It has become more or less the standard for the Internet. According to Google, 93 percent of Web traffic on Chrome takes place on encrypted pages. The tech giant started labeling non-HTTPS pages as “not secure” to push laggards toward encryption.
“Historically, that’s when you would encrypt websites … when there was sensitive information like payment card data,” said Andrew Hanks, Montana’s chief information security officer. “Back a decade ago, it was expensive to encrypt, to get the certificates to work. Now that’s not the case and encryption is the standard.”
Google’s tactic appears to be working. The number of government websites without encryption on the front page has actually been dropping somewhat quickly. Since the last time Government Technology checked in on this subject in March, 15 states — Arkansas, Connecticut, Indiana, Kansas, Kentucky, Maine, Michigan, Montana, New Jersey, New York, Oregon, Rhode Island, South Carolina, Washington and Wisconsin — have all encrypted their front pages. Two of the 10 biggest cities — New York City and San Antonio — have done the same.
Several IT officials in state government pointed to Google as a force driving the move toward encryption. A common concern is the worry, or even confusion, that the “not secure” message might cause for a citizen visiting their government’s website.
“We certainly don’t want to alarm anybody,” said Audrey Hinman, chief of Montana’s Application Technology Services Bureau. “We were going to encrypt anyway but the timing of it definitely was focused on Google’s announcement.”
The states with unencrypted front pages are represented in a map above. The major cities lacking front-page encryption are Houston, Philadelphia, Dallas and San Jose — although a message on the Philadelphia front page says it will move to a new website “this summer.”
It’s actually not the case that all of these websites lack encryption completely. Most, if not all, have encryption on pages that handle sensitive information such as credit card payments or home addresses. Many of the front pages have encryption too — but a users have to take the time to type out “HTTPS://” before the site address in order to access it. If they type in the address without that, they will be taken to an unencrypted page.
Trust with citizens is important for government IT shops. Government websites these days handle licensing and permitting, they take property tax payments and give people election night voting totals.
“In addition to stopping malicious hacking attempts, encryption helps assure users that they’re on a trusted site,” wrote John Dipko, communications director for Wisconsin’s Department of Administration, in an email. “Because some search engines and all browsers visually discourage visits to untrusted sites by displaying that to the user, using SSL [Secure Sockets Layer, a standard way to secure data in transit] helps maintain traffic to our Web properties and boosts our search result rankings compared to untrusted sites.”
Jim Flynn, director of information security for the company CivicPlus — which provides Web services to governments, including website setup — said that citizens might get confused in situations where some pages on a government website are encrypted and others aren’t. Worse, those websites might be undermining their own protection of user data, because they’re giving attackers the ability to access cookies related to a user’s activities on a non-encrypted portion of the website.
“If there’s any sensitive information stored in the cookie and that information is not secured over HTTPS, that could be exposed to man-in-the-middle attacks,” he said.
Since there are thousands and thousands of local governments in the U.S., it would be difficult for any individual organization to get a good idea of how many of them have encrypted websites. But CivicPlus, which has deployed more than 3,000 websites on its CivicEngage platform, can come up with a sampling.
About a year ago, Flynn said, about 15 percent of CivicEngage sites had an SSL certificate. Only 1 percent had HTTPS by default — that is, users were automatically sent to encrypted pages sitewide.
CivicPlus undertook a campaign to drive that number up, acquiring certificates for its websites and streamlining the testing process inherent in migrating to HTTPS. Today, Flynn said, all CivicEngage sites have a certificate and 20 percent are HTTPS by default.
He expects that number to increase as awareness about encryption spreads.
“We’ve seen a major spike, an increase in this,” Flynn said. “It’s a very positive thing. We’ve seen a major spike since May, we’ve seen 300 sites migrate to HTTPS by default.”
One of the larger obstacles in the way of Web page encryption appears to be “mixed content,” — that is, content on the page that is loaded through an unencrypted path. A common example would be a picture. According to Flynn, mixed content can either cause the browser to mark the page as unencrypted or could even cause the page to fail to load.
A lot of time government IT shops spend migrating sites to HTTPS is done performing tests to find mixed content. Flynn attributes much of CivicPlus’ success transferring customers to encryption to the company’s streamlining of that process.
Chris Rein, New Jersey’s new CTO, said the problem with mixed content can be especially common in governments like his, where agencies have historically been responsible for their own websites, as opposed to a central authority handling them.
“You may have heard the cliché, if you’ve seen one website you’ve seen one website,” Rein said. “There’s such diversity among the content, the age, the genre of what tools are used. In New Jersey we provide services to over 50 offices and state agencies in the executive branch and over time there have been a lot of different [website] management styles.”
Another issue, perhaps more ancillary, is network security. Ironically, some network administrators might see HTTPS as a step backward in cybersecurity because encryption gives them less visibility into the traffic coming over a network, hindering their ability to identify malicious activity.
Most people don’t seem to think that’s enough to justify keeping a website unencrypted.
“I think as encryption became adopted as a practice, that was probably more true yesterday … than it is now,” Rein said. “There are tools and measures that are in use right now that actually are able to inspect traffic coming in, traffic going out, even if it’s encrypted.”
Those include tools that look at the metadata that comes through the network, rather than the core information itself, for red flags.
At the end of the day, Montana’s Hinman said the state just didn’t see any good reasons not to encrypt.
“From my perspective, it’s easy to be attained technically, and there’s nothing that we give up by doing it, so why not have that protection?” Hinman said.