ITPIN: Government of Canada mandates HTTPS, HSTS
All Canadian government websites should implement HTTPS for web connections
Effective June 27, 2018
Effective June 27, 2018, all Canadian government websites should implement HTTPS for web connections
The government of Canada has issued an Information Technology Policy Implementation Notice (ITPIN) directing all “departments” to implement Transport Layer Security and migrate to HTTPS. The Notice is effective as of June 27th. All departments, agencies and organizations that in Canadian government that are not subject to the Policy on Management of Information Technology are advised to abide the ITPIN.
Canadian departments are to implement safeguards that ensure their services are only offered via a secure connection. Specifically that means that all connections must:
- Be configured for HTTPS
- Have HSTS enabled
- Support at least TLS 1.2 or higher
- Not support SSL 2.0, SSL 3.0, TLS 1.0 or TLS 1.1
- Have weak ciphers such as RC4 and 3DES disabled
If a department’s website involves the exchange of personal data then it should migrate as soon as possible. All other departments have until September 30, 2019.
Canadians must be confident that they are accessing a legitimate service and that their connections remain private and free from interference. By applying specific security standards that have been widely adopted in industry, departments can ensure the integrity and confidentiality of their communications with Canadians. This includes implementing the HTTPS protocol which provides a layer of protection by encrypting connections using Transport Layer Security (TLS). HTTPS, along with approved encryption algorithms, offers a level of security and privacy that users expect from Government of Canada web services. In addition, whilst using modern web browsers, a secure connection will always be initiated when HTTP Strict Transport Security (HSTS) is configured.
The ITPIN goes on to say that implementing HTTPS is only one aspect of securing a digital service, before offering additional security considerations:
- Deploy modern operating systems (OS) and applications that are maintained with supported, up-to-date, and tested versions of software.
- Actively manage software vulnerabilities, including fixing known vulnerabilities quickly following a timely patch maintenance policy for OS and applications, and taking other mitigating steps, where patches can’t be applied.
- Implement appropriate host-based protections to protect systems against both known and unknown malicious activity.
- Minimize available services and control connectivity by removing or disabling all non-essential ports and services as well as removing unnecessary accounts from systems.
- Enable system logging to improve the ability to detect and identify anomalous behaviours, perform system monitoring, and to assist with incident response and forensic analysis of compromised systems.
- Carefully control and manage privileges assigned to users and administrators. Provide a reasonable (but minimal) level of system privileges and rights needed for their role.
- Use strong authentication mechanisms (for example, multi-factor authentication) where possible to protect from unauthorized access.
- Design web services so that they are protected from common security vulnerabilities such as SQL injection and others described in widely-used publications such as the Open Web Application Security Project (OWASP) Top 10.