Government websites rely heavily on HTTPS or secure weblinks and communications to handle the public’s business online. Typically, when things go well neither users nor system administrators themselves notice a problem. However, poorly configured security settings can give the illusion of security without offering any real protection.
GlobalSign has developed a tool that anybody can use for free, but is designed for IT/Website administration so that IT shops can address their website security as it relates to SSL. The SSL Config. Checker flags issues regarding the SSL configuration and provides remediation help so that the issues can be taken care of promptly. Some improved their security posture in less than 30 minutes, making for an easy fix without a lot of additional work.
All users have to do is type in the website and it will locate all of the servers supporting that site and deliver a report on the health of their security in a letter-grade report. So far this year, over 6,000 sites used the tool to evaluate the effectiveness of their SSL, and 269 of those sites used the remediation guidance provided by GlobalSign to improve and, in some cases, strengthen the security.
“What we wanted to do was create a knowledgebase around security issues and give people a way of making decisions about their security posture,” said Ryan Hurst, chief technology officer of GlobalSign in an interview with CivSource. “The improvement in website security is certainly encouraging for us to see, but this is the absolute tip of a very big, fast-moving and dangerous iceberg,”
GlobalSign is also working with governments at both the federal and state level to ensure that they comply with security requirements as outlined by NIST and OMB. They are also working with IPv6 issues. CivSource has previously reported on recent risk guidance issued by NIST concerning fraudulent and expired security certificates. In that report, users and administrators may not readily be able to tell that they have used a bad certificate.
Hurst explains that very often professionals are well intentioned, but keeping up with the shifting threats to security online is daunting. “If you look at the configurations of servers generally, they aren’t very good. IT people often think they did what they could do, but as a practical matter they really haven’t. So we wanted to help make the internet a safer place by giving people the opportunity to check themselves.”
Hurst says that GlobalSign plans to keep the tool free and open for anyone to use, and will continue to update it as new information or settings come online.