

Ask HN: Just tested 200 gov websites and 2 were SSL-encrypted. What should I do? - r3bl

I just tested over 200 websites from my country that are using our local .gov domain.<p>Only 2 (yes, two!) of them were properly SSL encrypted. About 50 of them used self-signed certificates, but none of those 50 tried to enforce SSL encryption by default. The rest of them cannot be accessed using https protocol at all!<p>The most interesting example I found was a site that has a self-signed certificate which expired in January 2013.<p>Some of them (30+) have contact forms posted on their sites. Most of those who have contact forms don&#x27;t have any kind of CAPTCHA recognition what so ever. About a third of them has newsletter subscription option and I found two unencrypted sites with login forms.!<p>I want to do something about this, but I want to be ethical about it. Of course, contacting every single one of them is not an option, since there&#x27;s far too many of them.<p>I&#x27;m thinking of writing a paper where I will address this issue and mimic some of the ways someone could exploit this fatal flaw like MitM-ing a .doc file coming from the server, MitM-ing contact forms and rejecting contact requests, injecting rogue HTML code etc. Of course, I would do these examples on my local network by using my secondary laptop as a victim and my primary laptop as an attacker.<p>But the thing is I&#x27;m afraid that my hard work will come to nothing and nobody important would read it nor do anything about it.<p>I would classify my country to be somewhere in between first- and third- world countries.
======
sshine
In my country, I would write to the largest tech news site and co-author a
press release with one of their reporters after having met them in person
(perhaps after selecting them or having them recommended). I would make some
professor comment on it as well as myself with the title of security
professional or researcher, perhaps just your name and your company name. In
fact, I'd try to get a researcher from a group that does "democratic
technology" (DemTech.dk). They have been advising in other countries, too. If
it catches the mainstream, let myself interview in the tabloids. If not, I
don't know if contacting them has any unwanted effects, but I'd probably do it
out of desparation.

Then I would ally with the local watchdog political party to run this as one
of their issues, just because their faces are popular. The last part may
collide with building a reputation as an independent researcher.

------
drallison
I agree with your intuition that you must do something to report this problem.

The problem is knowing who is responsible and getting their attention. Not
knowing the country makes this difficult, but I am fairly sure you have the
resources to find someone to help.

If you can identify an official or office which is responsible, give them a
phone call or send a fax that explains the issue, and ask them for their help
in notifying the proper authorities. I'd avoid email for this as many
governmental officials do not read email.

If that fails, a letter to the editor of the primary newspaper about the
security issues (no details!) may be effective.

------
svisser
What do you stand to gain by going ahead with this?

~~~
drallison
I find svisser's comment to be more than a little snarky. Reporting observed
security problems to the proper authorities is part of being a good netizen
and benefits us all.

~~~
svisser
This is a legitimate question to ask before going ahead with matters like
this. Reporting security vulnerabilities does come with risks and should be
evaluated carefully.

------
dylanjermiah
You should vote for politicians, because that will definitely help. Democracy
and all.

