Government fares poorly in Web site security audit
- By William Jackson
- Jul 02, 2014
The most heavily trafficked .gov and .mil domains generally received poor marks for security in an annual audit of Internet domains by the Online Trust Association (OTA). The one exception is their deployment of DNSSEC.
OTA, a non-profit industry association promoting online best security practices, evaluated 800 top consumer Web sites, as well as the 50 busiest government sites. Although detailed scores were not broken out for government, senate.gov received the highest score, followed by USAjobs.gov and SSA.gov.
Overall, government scored 70.5 (out of 100) in properly implementing Secure Sockets Layer on their sites, and just 12.5 percent of the sites used Extended Validation SSL, the green browser address bar that verifies a Web site’s identity. SSL is a protocol for Internet encryption.
In email authentication, 62 percent of agencies used the Sender Policy Framework validation scheme to detect spoofing, and only 28 percent were using DomainKeys Identified Mail to tie a domain name to an email message.
The one area in which government excelled is in deployment of the Domain Name System Security Extensions, DNSSEC, to protect the DNS infrastructure from exploits. Only the federal sites had significant adoption, with 92 percent.
Guidelines for securing the DNS, which translates Internet domain names to numeric IP addresses, were updated by the National Institute of Standards and Technology in 2013.
The next highest sector had only 5 percent DNSSEC adoption. “DNSSEC continues to struggle as an IT priority in spite of its technical value,” the study concluded. Government’s high deployment reflects a mandate from the Office of Management and Budget to implement the extensions.
William Jackson is freelance writer and the author of the CyberEye blog.