In light of recent cybersecurity mishaps such as the alleged DFA passport data breach, how serious is the government when it comes to protecting the privacy of Filipino citizens?
If we look at some of the websites owned and managed by the Philippine government, it seems that the online security and privacy of ordinary Filipinos are the least of their concerns. After all, many Philippine government websites still don’t have HTTPS encryption, which is the most basic feature of website security at a time when hackers and cybercriminals run rampant.
As early as 2016, Google has started warning Internet users about the risks of visiting insecure websites without TLS or SSL certificates. Insecure websites pose security and privacy risks to Internet users due to the lack of encryption when handling sensitive information such as names, birthdays and even credit card information. Without HTTPS encryption, sensitive data could be intercepted by attackers that are spying on Internet traffic.
What is HTTPS Encryption and How Does It Work?
Hypertext Transfer Protocol Secure (HTTPS) is a communication protocol encrypted using Transport Layer Security (TLS). TLS, as well as its predecessor Secure Sockets Layer (SSL), is the standard security technology for establishing an encrypted link between a browser and a web server. It ensures that the transmission of data between the browser and the server (where the website is hosted) remains safe, private and protected.
Without an SSL certificate, data is transmitted as unencrypted plaintext, making it potentially accessible and readable to attackers that are snooping on network traffic. Any information that you send through the Internet are passed on from one computer to another until it reaches the destination server. Any computer in between you and the web server can see your sensitive information if it is not encrypted. With an SSL certificate in place, that information becomes unreadable to everyone except the destination server.
HTTPS is especially important over insecure networks such as public Wi-Fi access points, as anyone on the same local network can eavesdrop and intercept sensitive data not protected by HTTPS.
So how do you know if a website has HTTPS encryption? Websites with HTTPS encryption start with https:// instead of http://. On Google Chrome, a secure website is shown with a padlock icon next to the URL or web address. Clicking on that icon will show the message, “Connection is secure.” Unsecured websites will show a “Not secure” warning next to the browser address bar.
Philippine Government Websites Without HTTPS Encryption
Mind you, it’s not really imperative that your website should have HTTPS encryption. If your website does not handle user data or information, there’s really no urgent need to install an SSL certificate, although there’s a whole range of benefits in doing so, such as better search engine rankings.
We have not yet come to the point where access to your website will be blocked or limited if it doesn’t have HTTPS encryption, although based on Google’s previous pronouncements, they’re moving towards that direction.
However, if your website handles sensitive and important information, it’s absolutely necessary to have an SSL certificate installed. This protects your users’ private information from the prying eyes of hackers and ensures that transmitted data cannot be corrupted or modified.
Knowing how important this basic security feature is, we visited several Philippine government websites to determine if they have implemented HTTPS encryption. We were surprised by the results.
Out of the 46 government websites we visited, 29 websites don’t have HTTPS encryption (and are insecure), 2 have SSL certificates but are not fully secure, and only 15 have HTTPS encryption and are fully secure.
Some of the biggest offenders include the Department of Education, the Department of Public Works and Highways, the Department of Tourism, the Civil Service Commission, and ironically, the Department of Information and Communication Technology.
Here is the list of Philippine government websites that still lack HTTPS encryption:
- Office of the President
- Office of the Vice President
- House of Representatives
- Supreme Court
- Department of Information and Communication Technology (DICT)
- Department of Agrarian Reform (DAR)
- Department of Agriculture
- Department of Education
- Department of Environment and Natural Resources (DENR)
- Department of National Defense
- Department of Public Works and Highways (DPWH)
- Department of Science and Technology (DOST)
- Department of Tourism
- Metropolitan Manila Development Authority (MMDA)
- Mindanao Development Authority
- National Commission on Muslim Filipinos
- National Economic and Development Authority (NEDA)
- National Security Council
- Presidential Management Staff
- National Telecommunications Commission (NTC)
- Bureau of Customs
- Philippine Atmospheric, Geophysical and Astronomical Services Administration (PAGASA)
- Bangko Sentral ng Pilipinas
- Civil Service Commission
- Intellectual Property Office of the Philippines
- Philippine National Police
- Housing and Urban Development Coordinating Council (HUDCC)
Websites with HTTPS encryption but are not fully secure are:
- Department of Interior and Local Government (DILG)
- Technical Education and Skills Development Authority (TESDA)
We understand that these websites serve mostly as repositories of information for the general public, but there are instances where Internet encryption would be useful. For example, most government websites have web-based contact forms where random users can enter their personal information such as names and email addresses. Without encryption, such information could be exposed to attackers who might use them for fraud, identity theft, and other cybercrimes.
It’s not only contact forms that are vulnerable to attackers. For instance, the Civil Service Commission website has the Online Career Service Examination Result Generation System (OCSERG) and the Online Notice of School Assignment (ONSA). Both online services require users to enter their personal details such as their first names, last names, email addresses, and dates of birth.
The Civil Service Commission website also has an email service for the agency’s officers and employees. Without HTTPS encryption, attackers could theoretically gain access to users’ email accounts by spying on network traffic and stealing usernames and passwords.
The Civil Service Commission website is just one example of a government website that handles and processes sensitive information without HTTPS encryption. There are also websites that load over HTTPS but are still not fully secure. This is called “mixed content” because some elements (such as CSS files and images) are fetched via HTTP. One example of a website with mixed content is the DILG website.
For a website to be fully secure, it must serve all content via HTTPS. If a website has HTTPS encryption but some files are loaded via HTTP, attackers could replace those files with false, malicious codes to steal user data.
How to Implement HTTPS Encryption
The easiest way to implement HTTPS encryption on a website is to install an SSL certificate. Webmasters can get free SSL certificates from Let’s Encrypt; many web hosting providers now offer free SSL certificates that can be installed with just a few clicks. Cloudflare also offers free SSL certificates with no installation required (in fact, Tech Pilipinas uses a free SSL certificate from Cloudflare).
We hope that the relevant government agencies will take online privacy more seriously and implement HTTPS encryption on their websites to protect the information and identity of Internet users. Implementing HTTPS encryption doesn’t require a large financial outlay (some SSL certificates are free), nor does it take significant technical expertise (any web developer can install an SSL certificate).
We also call on the National Privacy Commission to ensure that Philippine government websites comply with current web security and privacy standards starting with basic HTTPS encryption. Privacy is the right of every individual, and websites that fail to live up to web security standards risk endangering the privacy of Internet users, especially at a time when data breaches, hacking incidents and cyber attacks are increasing day by day.