Google, the most widely used Web browser in the world, thinks a majority of state and local government websites aren’t doing enough to protect the people visiting them. And starting in July, that browser is going to start prominently telling those users that the sites they’re visiting aren’t secure.
And as of right now, a lot of those governments disagree — at least on paper — that they need to do anything about it.
The security measure in question is encryption, and specifically the basic encryption implied by a website having a URL that starts with HTTPS instead of HTTP. Of the 50 state government websites, 29 have front pages that are not encrypted. Of the 10 most populous cities in the nation, six have non-HTTPS front pages:
The problem is likely even more widespread than that. The government website and digital services company ProudCity embarked on a project about a year ago to gather information on trends among local government websites and estimated that less than 20 percent of city websites in the U.S. had HTTPS. Vision Internet, another government website builder, estimates that about 25 percent of its clients had encryption before they stepped in.
A lack of encryption means, in so many words, that hackers would have an easier time seeing, stealing or manipulating information traveling between the user and the website.
Quirks and Asterisks
The data collected is for front pages only, and doesn’t take into consideration other pages or sub-domains associated with a government website. In most cases, even if a government’s main page isn’t encrypted, a page that asks users for information will be.
That’s not always the case, though. For example, sanantonio.gov has a contact page where users can send a message to the city. The form requires them to enter their name and email address, and they have the option to submit home and work phone numbers as well, but the website doesn’t have encryption.
There are also websites on the list that have encryption certificates but don’t force users to the HTTPS version of the page, like Washington and Ohio. In those cases, a user can reach the encrypted version of the page if they type out the entire URL, starting with HTTPS://. If they forgo that part, they’ll reach the non-encrypted version.
Finally, in many cases, the state’s IT department is not directly responsible for all websites. Often, each individual agency has to take the burden on themselves to build a site, and many times they will have multiple sites.
Does it matter?
Google Chrome, the Web browser that carries the majority of traffic on the Internet today, is led by people that think every single page should be encrypted — even the ones that don’t carry sensitive information in either direction.
They aren’t the only ones.
“Having the state’s primary website over HTTPS matches the visitor’s expectations of privacy between their device and the services residing on www.mo.gov,” wrote Missouri Chief Information Security Officer Michael Roling in an email. “Privacy in this day and age has become paramount for Internet users, and Google’s move to flag sites as ‘not secure’ will hopefully motivate other website owners to switch to HTTPS.”
If an unencrypted Web page carries sensitive information, that information could be visible to hackers. And toward that end, a lot of the government websites that don’t encrypt their main landing pages do encrypt the pages that actually ask users for information — whether that’s renewing a driver’s license, paying for a parking ticket, signing up for notifications or something else.
Even if a page doesn’t handle sensitive information, there are still reasons to encrypt, according to Google spokesperson Ivy Choi.
“HTTPS is the only way for sites to ensure that the site they create is the site that users actually see, because without HTTPS, an attacker can modify the site in any way they want,” Choi wrote in an email. “For example, if a government site is on HTTP, an attacker could change or delete the information on the site, or add offensive imagery, etc.”
A big concern is photos and videos, which are often hosted on different servers but embedded into a government’s website. In those cases, even if the site itself is encrypted, a hacker could get in by targeting those assets.
And then there’s third-party software, long a weak point in government websites. Embedded third-party software can offer hackers a back door that allows them to do a lot of things.
Encryption also is the direction most of the Internet is going in. Most Google Chrome traffic is to HTTPS pages, and federal agencies are under strict orders to encrypt as well.
What many working in the government technology arena worry about is the message Chrome will be sending to users, and what impact it might have.
“At a time when people’s faith in government is low, especially with security issues that are coming up in the news around government and security, when you go to a government website and you see ‘not secure’ in a browser, regardless of whether you’re submitting information or not, that further decreases people’s faith in government to secure their private information,” said Luke Fretwell, ProudCity’s chief executive officer.
That “not secure” message, some think, will act as a general indication that something is wrong — a vague one.
“I think having a not secure message for the average user is gonna be ambiguous, so they’re just not going to know what that means,” said Michael DeAngelo, deputy director of Washington Technology Solutions.
It might serve as a general indicator that something is wrong. And ultimately, some argue, something is wrong.
“If you’re not taking the most basic steps, I think that’s something you should really be concerned with,” said Graig Lubsen, a spokesperson for the Indiana Office of Technology. “The industry is clearly driving this, and citizens may lose confidence when they start putting the unsecure messaging up there … whether it’s a skull and crossbones or something, citizens are going to have doubts about the business they’re doing with the government.”
There are a few reasons so many state and local government websites don’t encrypt. But they mostly boil down to the same thing: If there’s no sensitive information coming across a Web page, why make the extra effort?
The attitude has manifested itself in the form of policies, written or unwritten, in state governments. Take the unencrypted main landing page for the state of California, for example. The state has a policy stating that encryption is necessary for “confidential, sensitive or personal information.”
“CA.gov doesn’t contain any sensitive information, it’s not a transactional website,” said Bryce Brown, a spokesperson for the California Department of Technology. “It’s only a central portal from which you can access other websites and their services.”
Similar guidelines explain the status quo for the states of Washington, Indiana and Florida.
For some of them, it’s just a matter of time. Washington Technology Solutions launched a service last year where any state agency, local government or nonprofit can hire it to build Web pages. That service includes encryption, accessible design and mobile responsiveness on all pages by default.
“They’re not calling us and asking us about it, we just do it,” said DeAngelo. “For some of them, they probably don’t even know.”
DeAngelo estimates that the service has already increased the number of encrypted sites among its clients in the state ten-fold. The main landing page for the state government is in the queue.
Indiana plans on making all of its sites HTTPS in the next couple of months.
“Since we’re on a single content management system to manage our sites, it’s not that big a lift for us,” he said. “I think other states have that issue where they have agencies on multiple content management systems.”
Michigan is in a similar situation — it’s in the testing phase of moving most of the state’s websites to HTTPS.
A lot of companies that build websites for government are moving toward HTTPS. ProudCity encrypts by default, Vision Internet is moving toward encryption by default and NIC urges all its clients to consider HTTPS.
Not everybody is interested.
“Some of the feedback we’ve received, and we’ve been in conversation about this, is, ‘It’s public record, people can get it anyway,’” said Rodney Caudle, NIC’s director of information security.
This despite the relative ease of encryption relative to yesteryear. Back when encryption was mainly used for e-commerce, it could cost a significant amount of extra time and maybe a couple hundred dollars to build encryption into a site. Now there are free tools like Let’s Encrypt that let any website owner move to HTTPS.
But that’s not going to work for everyone. Let’s Encrypt only offers domain verification and not extended verification, which is a higher standard and takes more effort to attain. The certificates that come from that service also only last 90 days, while others will last a year.
Domain verification is easier, but it’s also not as secure.
“There have been cases — and it’s relatively easy to do — you can impersonate an organization and get a domain validation cert, whereas it’s much more difficult to get an extended validation cert,” said Thomas Vaughn, chief information security officer of Florida.
And that’s not to say anything of the other security measures that vendors recommend governments take when building a website.
“There’s actually quite a bit of work you have to do to make sure you have HTTPS on your website, and then you have to worry about security policies and sub-resource integrity,” Caudle said.
Whatever resistance is there, change is in the wind. Aside from Google Chrome’s looming deadline, government cybersecurity is beginning to creep into the national dialog. There’s the investigation into foreign actors hacking into voting technology in the November 2016 elections. There are destructive ransomware attacks on a regular basis. And then there’s simply a desire to do something about it: The Center for Digital Government* regularly finds in surveys of government IT workers that cybersecurity is their No. 1 priority.
In that environment, many find that covering basics like Web encryption just makes sense, even if it’s not a huge concern for every corner of the Internet.
“It’s just a model of behavior that we think’s more appropriate for the times,” DeAngelo said.
*The Center for Digital Government is owned by Government Technology's parent company, e.Republic