Why Government is not securing their Website

I am going to discuss important topic in the post. It is related to some website owned by Government of India and used by people which are not secure and till date Government is using it. It may result in leaking your personal information if you use it.

Lets see first what I meant by securing the website:

Every website start with http is a protocol to transfer pages from server to your desktop. It is not a private connection and anyone can use the traffic snippet to see what you are sending to web server. The connection is not encrypted for this transfer. See the example below.

This video will explain it better:

Website

Now the https protocol is secure and it encrypt data before sending it to server. Even if anybody trap the data in between, they cannot see it as it is unreadable. So you would be sure that your personal data is secure. See the example below.

Website

Now lets me demonstrate some of the Government website which are open to attack:

Track Passport –  Passport seva – http://passportindia.gov.in/ –  This site mentioned a url to track passport here : http://passportindia.gov.in/AppOnlineProject/statusTracker/trackStatusInpNew. Have you noticed, here url start with http meant your connection with this url is not secure. Anybody can read the data sent over.

Website

Now let me show you how an attacker can get this data shown above. There a lot of sniffer tool available in the market which is used to capture this data. I am going to use Wireshark. A easy tool to capture all data flowing thru internet. So I opened above url and input some random value.

So let me run Wireshark and see the result.

Website

Can you see it. I can capture every piece of data you entered as it is not encrypted. Once somebody know this data, he/she can get your passport number or data of birth etc and can misuse this data.So practically an attacker can physically or a network administrator can easily capture this data before it even reaches data server. I have noticed on this website visa or OCI, there is no security and is open to attack. So next time when you try to track your passport, be sure that your data is not secure.

Let me take another example:

Indian Post Office – Track Consignments – http://www.indiapost.gov.in/articleTracking.aspx

This is again tracking url for all document sent by Indian post.Notice it, it start with http so it is not private. The problem is if anyone know your consignment number, he can easily track when your important document will be delivered.Again check the same tracking url from Blue dart, it is protected. https://www.bluedart.com/maintracking.html

I am not saying all Governmentwebsite is not secure. I noticed PAN card, Aadhaar ,Income tax website and some other website is secure but it should be applied on all important websites.

What needs to be done?

  • Immediately secure all website with https which contains personal information
  • Find other website which are not secure and update them

How much it cost to make a website as https?

You must be thinking it is very costly to implement https for a website (An extra burden for Govt) but it is not. On an average to implement https on a website cost INR 1425 per year. So definitely cost is not a factor here. I think in India Govt do not care much about sensitive personal information as in other country. The other reason could be that they do not have a good technology partner for their website.

What you need to take care?

As a consumer or a user you need to very careful while providing personal information to a website. Do not provide important detail like Credit card detail, Passport, PAN card, Aadhaar number etc to any website unless it is secure by https. Please do share your thoughts. I would love to hear from you.

>