1-in-4 National Bodies of Scotland Fail in Basic HTTPs Test
The public sector in the UK has to show that it is providing digital services which are trustworthy, and to make sure that citizens are on their side. Along with this governments within the UK have been publishing their cyber security strategy. In Scotland, for example, the Scottish Government recently published its strategy with an aim of “… helping Scotland’s people, businesses and public sector to improve their cyber resilience: their ability to use technology securely, and to respond to and prevent cyber crime.”
So, this week, Google, after announcements over the past year or so, started to mark sites which do not support HTTPs as being insecure. If you are a small business, without a great deal of IT support, and your Web hosting infrastructure makes it difficult for you to add a certificate and HTTPs support, it can be acceptable to be still catching-up with the changes. But if you are a public service body, you don’t really have many excuses for missing the deadline.
So I’ve been scanning the public sector in Scotland and will reveal the results in a series of posts.
First let’s look at the National Bodies of Scotland [here]. Of those listed the following have support for HTTPs and receive a gold star for security and trust in supporting HTTPs:
Architecture and Design Scotland, Bord na Gàidhlig, Cairngorms National Park Authority, Community Justice Scotland, David MacBrayne Ltd, Historic Environment Scotland, National Galleries of Scotland, National Museums of Scotland, Police Investigations and Review Commissioner, Risk Management Authority, Scottish Agricultural Wages Board, Scottish Children’s Reporter Administration, Scottish Enterprise, Scottish Environment Protection Agency (SEPA), Scottish Futures Trust, Scottish Land Commission, Scottish Legal Aid Board, Scottish Legal Complaints Commission, Scottish Natural Heritage, Skills Development Scotland, sportscotland, VisitScotland, Water Industry Commission for Scotland, National Library of Scotland, Scottish Qualifications Authority, and Scottish Criminal Cases Review Commission.
But these sites, at the current time, fail to support HTTPs properly:
- Creative Scotland https://www.creativescotland.com. Absolutely no support for HTTPs, only HTTP works.
- Crofting Commission https://www.crofting.scotland.gov.uk. Absolutely no support for HTTPs, only HTTP works.
- Highlands and Islands Airports Ltd https://www.hial.co.uk. Absolutely no support for HTTPs, only HTTP works. After I published this article in mid week, the site now has an HTTPs version.
- Highlands and Islands Enterprise https://www.hie.co.uk. Absolutely no support for HTTPs, only HTTP works.
- Quality Meat Scotland https://www.qmscotland.co.uk. No site shown.
- Royal Botanic Garden Edinburgh https://www.rbge.org.uk. Absolutely no support for HTTPs, only HTTP works.
- Scottish Funding Council https://www.sfc.ac.uk. Redirects to HTTP.
- Scottish Social Services Council https://www.sssc.uk.com. Redirects to HTTP.
And this site I think has problems with its certificate:
- Accounts Commission for Scotland https://www.audit-scotland.gov.uk
Some of the sites, such as the SFC and SSSC, redirect back to an insecure HTTP version, but others, such as Quality Meat Scotland don’t even exist in a secure form.
HTTPs itself will secure the communications, but the key element of it, is that users can actually see if the site is actually valid or not, and has been proven by a certificate provider.
If we are to get citizens on our side, and build a new digital focused world, the public sector must lead from the front. It is disappointing that around 1-in-4 public bodies of Scotland have not been able to do something as simple as put HTTPs on their site. I doesn’t cost anything for a certificate these days, and it is a relatively easy task to add it to the site. In the long term, the site should redirect from HTTP to HTTPs, but for a start, all public bodies should support HTTPs, as we need trust in our on-line world.
Here is a bit of background on the subject: