Professor Dali Kaafar and the Optus Macquarie University Cyber Security Hub has released a security audit of publicly accessible Australian (both federal and state-level) government websites, with a focus on the adoption of the encrypted communication protocol, HTTPS, the security level of its implementation, as well as vulnerabilities to malicious external resources loading.
The audit reveals both light and shadow.
-A significant fraction of Australian government websites (16%) still do not adopt HTTPS.
-Some specific federal government departments-owned webpages are of particular concern. E.g. 47.4% of the Department of Environment and Energy still use plaintext (non-encrypted) HTTP.
-11% of state/territory governments webpages still do not support HTTPS; the fraction goes up to 25% in the case of Tasmanian state government.
-They detected major weaknesses in HTTPS implementations with the support of weak cryptographic mechanisms, vulnerable protocols or “untrusted” certificates not allowing for correct server-identity validation. E.g. 20% of the Northern Territory government websites resulted in at least one misconfigured HTTPS certificate and received a 1 Star security rating.
Learn more about this audit and its implications on the security of the Australian government digital infrastructure. Research Report available here