Why government websites are ‘not secure' to enter

Since the beginning of this year, there have been many occasions when I had to visit government portals and websites. Many times I encountered a notice that says: "The connection to www.minlaw.gov.bd or www.mefwd.gov.bd is not secure. You are seeing this warning because this site does not support https." 

Then there are two options - continue to the site or go back. 

Now the dilemma about whether I risk my data privacy or continue to pursue my assignment at hand, has put me under stress multiple times. Is it harmful? Am I getting into trouble?

"This is indeed a serious matter, especially now when cyber security is a matter of concern. Any important government portal and website is supposed to be secured or encrypted with SSL certification. The organisation must buy the certificate and renew it annually. 

If that is not followed, the browser will show you the warning, and if you continue to the portal, your data can be hacked or malware can contaminate your computer. If you proceed with any transaction, the details can be leaked from the website", said Syed Almas Kabir, the former President of the Bangladesh Association of Software & Information Services (BASIS).  

This means an SSL certificate is a must, especially for the government websites and portals where a lot of people enter.

According to Syed Almas Kabir, the portals need to be mobile friendly also, because most of the citizens will enter these portals through their smartphones. 

How many people actually visit the government portals every day? According to the national portal implementation specialist of a2i Mohammad Samsozzaman, 70,000 users enter the national portals every 30 minutes. 

What is an SSL certificate?

SSL stands for Secure Sockets Layer, a security protocol that creates an encrypted link between a web server and a web browser. SSL keeps internet connections secure and prevents criminals from reading or modifying information transferred between two systems. When you see a padlock icon next to the URL in the address bar, that means SSL protects the website you are visiting.

Companies and organisations need to add SSL certificates to their websites to secure online transactions and keep customer information private and secure.

When a website is secured by an SSL certificate, the acronym HTTPS (which stands for HyperText Transfer Protocol Secure) appears in the URL. Without an SSL certificate, only the letters HTTP – ie without the S for Secure – will appear. A padlock icon will also display in the URL address bar. This signals trust and provides reassurance to those visiting the website.

There are multiple SSL certification providers worldwide and the pricing for the certificates depends on the services they provide. For example, DIGI search will charge Tk60,000 ($1000) annually, and in exchange for that it will give you up to a $1 billion guarantee that if anything happens to the site or the users, they will take care of it. 

There is another company named Comodo, who will also give you a similar certificate for Tk10,000 annually, but they will not provide any guarantee.

Why do important government portals not have SSL certification?

We reached out to Debabrata Sarkar, the infrastructure expert of a2i. According to him, there are mainly three reasons why your browser is showing such a security message. Either the website you are visiting does not have the SSL certificate installed or the certificate installation has expired, it needs to be renewed. 

The other reason could be that there is a mismatch in the domain name you are using to search and the Subject DN (Distinguished Name) on the configured SSL certificate.

"Your browser is basically giving you a warning; now it is up to you whether you will risk your security and enter," he said. 

DN is a term that describes the identifying information in a certificate and is part of the certificate itself. A certificate containing DN information for both the owner or requester of the certificate (called the Subject DN) and the CA that issues the certificate is called the Issuer DN.

So the 70,000 users who visit these portals every half an hour do so at their own risk. Is it worth it?    

Also, a website has many links, if one of the links is connected with http rather than https, which is technically termed as mixed content, sometimes referred to as 'HTTP over HTTPS,' your browser will show the security message. 

HTTPS is HTTP with encryption and verification. The only difference between the two protocols is that HTTPS uses TLS (SSL) to encrypt normal HTTP requests and responses and to digitally sign those requests and responses. As a result, HTTPS is far more secure than HTTP. 

If a website uses HTTP instead of HTTPS, all requests and responses can be read by anyone who is monitoring the session. Essentially, a malicious actor can just read the text in the request or the response and know exactly what information someone is asking for, sending or receiving.

You can search for a website using both http and https, if it is secured with SSL certification, the http will show to be insecure while the https will take you to the website.

There are more than 50,000 (somewhere between 45,000 to 55,000) national portals that are currently running. Starting with the district information portals in 2014, the numbers have increased incorporating the ministries and departments, even at the upazila and union parishad level, over nine years. 

"In 2018, when https became popular, we incorporated several ministry websites under this protocol. In the last five years, we brought 60 ministry websites under https protocol, the rest of the websites are under http," Sarkar said.  

"Towards the end of 2022, when cyber security became a major issue, we decided to bring all the 50,000 websites under the secured https protocol. Till today, we have been able to bring 20,000 websites and portals of the divisions and upazila. Apart from these, more than 450 domains of directorate level are under https protocol now," he added. 

While speaking to Sarkar, I searched the Ministry of Law and Justice website on my Google Chrome browser and it showed me the warning message that it is not secure. This portal is managed by a2i, the SSL certificate for this portal was taken in September 2022 and was supposed to expire on 7 October 2023. Then why did it say it is not secure to enter on October 1?

Sarkar instructed me to search without including www in the url. I could log in to the portal. 

"It's actually not necessary to use WWW in URLs. It exists for just one purpose—to identify the web address. This is not the case with other important URL signifiers, such as a File Transfer Protocol (FTP) server (ftp) or news server (news). As such, WWW may be classified as a subdomain of a larger website," explained Sarkar. 

We registered 500 domains under 2/3 certificates, which are termed as multiple domain certificates, where we didn't allow the www subdomain, he added. 

So the problem is if a2i were to collect SSL certificates for every portal, they would have to buy 50,000 certificates. The international standard SSL certification may cost from $10 to $1,000, depending on the services they will provide. 

"If you consider the lowest cost, [which is] Tk1,000 per application, it would require Tk5 crore, which is a lot of money per year. Technologically there is no difference between the $10 certificate and a $100 one, both will be acceptable to the CA/B forum," said Sarkar.  

The Certification Authority/Browser (CA/B) Forum is a voluntary group of certificate authorities (CAs), vendors of internet browser software, and suppliers of other applications that use X.509 digital certificates for TLS/SSL and code signing. 

A2i covered more than 20,000 domains under 90 certificates of three types - multi-domain, wild card and single-domain SSL.  
                                                       
There is another category, which is wildcard certificates, which will cover all the subdomains of a single domain. a2i used this one to register the division-level domain. There is a single domain certificate also.

To cover the rest of the 30,000 portals, a2i needs to apply for almost 490 wildcard SSL certificates.  If you consider the minimum price of Tk10,000 each, this will cost a2i almost Tk50 lakh. 

"We are doing this phase by phase, it requires time and resources. Eventually, we will reach there," concluded Sarkar.