Secure Browsing in Local Government: The Case of Portugal

  • Hélder Gomes Escola Superior de Tecnologia e Gestão de Águeda (ESTGA), Universidade de Aveiro, Portugal and Institute of Electronics and Informatics Engineering of Aveiro (IEETA), Universidade de Aveiro, Portugal https://orcid.org/0000-0001-8443-4196
  • André Zúquete Departamento de Eletrónica, Telecomunicações e Informática (DETI), Universidade de Aveiro, Portugal and Institute of Electronics and Informatics Engineering of Aveiro (IEETA), Universidade de Aveiro, Portugal https://orcid.org/0000-0002-9745-4361
  • Gonçalo Paiva Dias Escola Superior de Tecnologia e Gestão de Águeda (ESTGA), Universidade de Aveiro, Portugal and Research Unit on Governance, Competitiveness and Public Policies (GOVCOPP), Universidade de Aveiro, Portugal https://orcid.org/0000-0002-8599-3798
  • Fábio Marques Escola Superior de Tecnologia e Gestão de Águeda (ESTGA), Universidade de Aveiro, Portugal and Institute of Electronics and Informatics Engineering of Aveiro (IEETA), Universidade de Aveiro, Portugal https://orcid.org/0000-0003-1212-1718
Keywords: e-government, local government, HTTPS, privacy, confidentiality, security, Web

Abstract

This article addresses the adoption and use of Hypertext Transfer Protocol Secure (HTTPS) in the entry pages of the official websites of all (308) Portuguese municipalities. This is relevant because such websites are typically used to provide transactional services to citizens, and citizens need to trust that websites are authentic and that confidentiality and integrity of the information exchanged is assured in the communication process. Automated and, whenever needed, manual analyses were used to investigate the entry pages. Specifically, we checked for the existence of an HTTPS site; the correctness of website certificates and their certification chain; coherence between contents of the HTTP and HTTPS versions of websites; redirection from the HTTP version of a website to its HTTPS version; the existence of resources fetched using HTTP in HTTPS versions of websites; and exploitation of HSTS. A Quality Indicator was then defined and a classification of the municipalities into quality groups was produced. Possible determinants for the results obtained by the municipalities were also investigated. The general conclusion is that there is still much to be done to assure that citizens can communicate securely with the websites of all Portuguese municipalities, since only 3.6% of the municipalities were considered good, while 46.1% do not guarantee the minimum conditions. We argue that these results are associated with the fact that most Portuguese municipalities do not have the critical technical and managerial mass to correctly implement and maintain their websites. To mitigate this limitation, we propose the dissemination of technical instructions on how to correctly configure and deploy municipal HTTPS websites and the creation of shared services between the smaller municipalities.

Downloads

Download data is not yet available.

Author Biographies

Hélder Gomes, Escola Superior de Tecnologia e Gestão de Águeda (ESTGA), Universidade de Aveiro, Portugal and Institute of Electronics and Informatics Engineering of Aveiro (IEETA), Universidade de Aveiro, Portugal

Hélder Gomes holds a PhD in Computer Engineering from University of Aveiro (UA), Portugal, and currently he is adjunct professor at the School of Technology and Management of Águeda (ESTGA) and researcher at the Institute of Electronics and Informatics Engineering of Aveiro (IEETA) at UA. His main area of interest is computer security, with a focus on its application in the area of e-government and on user privacy, being the author of several scientific publications. Before joining the UA, he developed his professional activity as a Software Engineer having participated in several national and international projects on military tactical communications systems.

André Zúquete, Departamento de Eletrónica, Telecomunicações e Informática (DETI), Universidade de Aveiro, Portugal and Institute of Electronics and Informatics Engineering of Aveiro (IEETA), Universidade de Aveiro, Portugal

André Zúquete received his PhD in Informatics and Computer Engineering from Instituto Superior Técnico, University of Lisbon, Lisbon, Portugal, in 2001. He is now Assistant Professor at University of Aveiro, Aveiro, Portugal, researcher of IEETA (Institute of Electronics and Informatics Engineering of Aveiro) and collaborator of IT (Instituto de Telecomunicações). His R&D activities are centered on the security in distributed systems, with a focus on the design of security architectures for several specific scenarios (e-Voting, e-Health, e-Government, vehicular networks, etc.). He is a program committee member of several conferences in the areas of security and mobility. He participated in several national and international projects and did some consulting on the security for Portuguese companies and state Departments. He has dozens of articles published in international forums related with security and mobility and he is the author of a technical book on network security (in Portuguese). He is the Portuguese representative on the IFIP TC11 (Security and Privacy Protection in Information Processing Systems).

Gonçalo Paiva Dias , Escola Superior de Tecnologia e Gestão de Águeda (ESTGA), Universidade de Aveiro, Portugal and Research Unit on Governance, Competitiveness and Public Policies (GOVCOPP), Universidade de Aveiro, Portugal

Gonçalo Paiva Dias is associate professor at the School of Technology and Management of Águeda (ESTGA) and full researcher at the Research Unit on Governance, Competitiveness and Public Policies (GOVCOPP) at the University of Aveiro. He held several positions at the University, including Vice Rector, Dean of ESTGA, and Director of the degree in Information Technology. He publishes regularly on the subjects of e-government, information systems and technologies, and higher education.

Fábio Marques, Escola Superior de Tecnologia e Gestão de Águeda (ESTGA), Universidade de Aveiro, Portugal and Institute of Electronics and Informatics Engineering of Aveiro (IEETA), Universidade de Aveiro, Portugal

Fábio Marques completed his PhD in Computer Engineering (2013) at the University of Aveiro (UA). He is an adjunct professor at Escola Superior de Tecnologia e Gestão de Águeda (ESTGA-UA), where he teaches since 2001. He is a collaborator of the Institute of Electronic Engineering and Informatics of Aveiro (IEETA-UA). He is on the scientific committee of national and international journals and conferences. He has participated in several national and international projects, having also several publications. Currently, his research interests are in the areas of distributed systems, e-Government, Privacy and Educational Technologies.

References

S. E. Colesca, “Understanding Trust in e-Government,” Inzinerine Ekonomika-Engineering Economics(3), no. 3, pp. 7–15, 2009.

“ePrivacy: consultations show confidentiality of communications and the challenge of new technologies are key questions,” European Commission, 2016. [Online]. Available: https://ec.europa.eu/digital-single-market/en/news/eprivacy-consultations-show-confidentiality-communications-and-challenge-new-technologies-are. [Accessed: 27-Nov-2018].

C. Gupta, “The Market’s Law of Privacy: Case Studies in Privacy and Security Adoption,” IEEE Security & Privacy, vol. 15, no. 3, pp. 78–83, 2017.

M. Nottingham, Ed., “Securing the Web: W3C TAG Finding 22 January 2015,” W3C. W3C, 2015.

C. Morgan, “IAB Statement on Internet Confidentiality,” IAB, 2014. [Online]. Available: https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality. [Accessed: 27-Nov-2018].

T. Vyas and P. Dolanjski, “Communicating the Dangers of Non-Secure HTTP,” Mozilla Security Blog, 2017. [Online]. Available: https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http. [Accessed: 27-Nov-2018].

E. Schechter, “A secure web is here to stay,” Google Security Blog, 2018. [Online]. Available: https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html. [Accessed: 27-Nov-2018].

G. Ouvrier, M. Laterman, M. Arlitt, and N. Carlsson, “Characterizing the HTTPS Trust Landscape: A Passive View from the Edge,” IEEE Communications Magazine, vol. 55, no. 7, pp. 36–42, 2017.

K. Bocek, “Is HTTPS enough to protect governments?,” Network Security, vol. 2015, no. 9, pp. 5–8, 2015.

European Commission, “Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC,” European Commission, 2017. [Online]. Available: http://ec.europa.eu/newsroom/dae/document.cfm?doc{_}id=41241.

The European Parliament and the Council of The European Union, “Regulation (EU) 2016/679 of the European Parliament and of the Council,” Official Journal of the European Union, no. 27 April 2. 2016.

H. Gomes, A. Zúquete, G. P. Dias, and F. Marques, “Usage of HTTPS by Municipal Websites in Portugal,” in New Knowledge in Information Systems and Technologies. WorldCIST’19 2019. Advances in Intelligent Systems and Computing, vol. 931, Á. Rocha, H. Adeli, L. Reis, and S. Costanzo, Eds. Springer, Cham, 2019, pp. 155–164.

T. Berners-Lee, L. Masinter, and M. McCahill, “RFC 1738: Uniform Resource Locators (URL),” IETF – Internet Engineering Task Force, 1994. [Online]. Available: https://tools.ietf.org/html/rfc1738.

P. Mockapetris, “RFC 1034: Domain Names – Concepts and Facilities,” IETF – Internet Engineering Task Force, 1987. [Online]. Available: https://tools.ietf.org/html/rfc1034.

T. Dierks and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.2,” IETF – Internet Engineering Task Force, 2008. [Online]. Available: https://tools.ietf.org/html/rfc5246.

C. Jackson and A. Barth, “ForceHTTPS: Protecting High-Security Web Sites from Network Attacks,” in Proceeding of the 17th international conference on World Wide Web – WWW’08, 2008, p. 525.

J. Hodges, C. Jackson, and A. Barth, “RFC 6797: HTTP Strict Transport Security (HSTS),” IETF – Internet Engineering Task Force, 2012. [Online]. Available: https://tools.ietf.org/pdf/rfc6797.pdf.

W. J. Buchanan, A. Woodward, and S. Helme, “Cryptography across industry sectors,” Journal of Cyber Security Technology, vol. 1, no. 3–4, pp. 145–162, 2017.

M. Kranch and J. Bonneau, “Upgrading HTTPS in mid-air: An Empirical Study of Strict Transport Security and Key Pinning,” in Proceedings 2015 Network and Distributed System Security Symposium, 2015, pp. 8–11.

S. Sivakorn, A. D. Keromytis, and J. Polakis, “That’s the Way the Cookie Crumbles,” in Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society – WPES’16, 2016, pp. 71–81.

M. Ying and S. Q. Li, “CSP adoption: current status and future prospects,” Security and Communication Networks, vol. 9, no. 17, pp. 4557–4573, Nov. 2016.

A. Manousis, R. Ragsdale, B. Draffin, A. Agrawal, and V. Sekar, “Shedding Light on the Adoption of Let’s Encrypt,” arXiv e-print arXiv:1611.00469, Nov. 2016.

T. van Goethem, P. Chen, N. Nikiforakis, L. Desmet, and W. Joosen, “Large-Scale Security Analysis of the Web: Challenges and Findings,” in Trust and Trustworthy Computing. Trust 2014. Lecture Notes in Computer Science, vol. 8564, Springer, Cham, 2014, pp. 110–126.

A. Andersdotter and A. Jensen-Urstad, “Evaluating Websites and Their Adherence to Data Protection Principles: Tools and Experiences,” in IFIP International Summer School on Privacy and Identity Management, Springer, 2016, pp. 39–51.

S. Englehardt and A. Narayanan, “Online tracking: A 1-million-site measurement and analysis,” in Proceedings of ACM CCS 2016, 2016.

P. Chen, L. Desmet, C. Huygens, and W. Joosen, “Longitudinal Study of the Use of Client-side Security Mechanisms on the European Web,” in Proceedings of the 25th International Conference Companion on World Wide Web – WWW’16 Companion, 2016, no. September 2013, pp. 457–462.

A. P. Felt, R. Barnes, A. King, C. Palmer, C. Bentzel, and P. Tabriz, “Measuring HTTPS Adoption on the Web,” in 26th Usenix Security Symposium, 2017, pp. 1323–1338.

A. P. Vumo, J. Spillner, and S. Kopsell, “Analysis of Mozambican websites: How do they protect their users?,” in 2017 Information Security for South Africa (ISSA), 2017, pp. 90–97.

M. Wullink, G. C. M. Moura, and C. Hesselman, “Dmap: Automating Domain Name Ecosystem Measurements and Applications,” in 2018 Network Traffic Measurement and Analysis Conference (TMA), 2018, no. ii, pp. 1–8.

C. Chan, R. Fontugne, K. Cho, and S. Goto, “Monitoring TLS adoption using backbone and edge traffic,” in IEEE INFOCOM 2018 – IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), 2018, pp. 208–213.

A. Lavrenovs and F. J. R. Melón, “HTTP security headers analysis of top one million websites,” in 2018 10th International Conference on Cyber Conflict (CyCon), 2018, pp. 345–370.

R. Robinson, “Urban vs. rural divide in HTTPS implementation for hospital websites in Illinois,” arXive eprint arXiv:1802.04159, 2018.

D. Kontogeorgis, K. Limniotis, and I. Kantzavelou, “An Evaluation of the HTTPS Adoption in Websites in Greece: Estimating the Users Awareness,” in Proceedings of the 22nd Pan-Hellenic Conference on Informatics – PCI’18, 2018, pp. 46–51.

L. Garron, A. B. Dropbox, and D. Boneh, “The State of HSTS Deployment: A Survey and Common Pitfalls,” 2013. [Online]. Available: https://garron.net/crypto/hsts.

G. P. Dias and M. Costa, “Significant socio-economic factors for local e-government development in Portugal,” Electronic Government, an International Journal, vol. 10, no. 3–4, pp. 284–309, 2013.

V. Pina, L. Torres, and S. Royo, “E-government evolution in EU local governments: A comparative perspective,” Online Information Review, vol. 28, no. 4, pp. 1137–1168, 2009.

Y. Chen, “Citizen-centric E-government services: Understanding integrated citizen service information systems,” Social Science Computer Review, vol. 28, no. 4, pp. 427–442, 2010.

G. P. Dias and H. Gomes, “Evolution of local e-government maturity in Portugal,” in 9th Iberian Conference on Information Systems and Technologies (CISTI), 2014, pp. 1–5.

Published
2021-06-10
Section
Articles