In 2016, we asked ourselves: How many federal government sites support HTTPS? We found out are you ready? In fact - 2 (in words: two, Karl!) Sites out of 85. Formally - 32 supported, i.e. HTTPS was enabled on the servers, but then everything rested on traditional Russian slovenliness: the SSL certificate was expired, self-signed, or even from another site, the HTTPS connection automatically switches to HTTP or redirects to the site's admin panel, the web server is vulnerable to ROBOT, POODLE and others excesses bad, HTTPS-connection only over SSL and other children of revelry.
Therefore, even according to our modest criteria - a valid SSL certificate, support for TLS 1.2 and refusal to use vulnerable or unreliable crypto algorithms like DH and RC4 - in fact, only 2 sites supported HTTPS (remember, out of 85 surveyed).
Today we again asked ourselves the same question, albeit slightly tightening the criteria, but even so the situation turned out to be much better : 27 out of 82 sites can be considered to actually support HTTPS, and 23 more - conditionally support it. Conditionally, in the sense that under certain conditions, depending to a greater extent on the client side: the current version of the browser, configured according to the mind, HTTPS was indicated by handles - the connection is protected, they did not provide any of the above - depends on.
Another 8 sites only imitate support for HTTPS (all the same slovenliness): self-signed (Assay Office) and curves (Ministry of Defense and FADN) SSL certificates, vulnerable cipher suites (Ministry of Economic Development), in some places they still have not heard about software updates and their web -servers shine on the Web with friendly banners "We have ROBOT & POODLE!" (Ministry of Construction, Rosreestr, Rosfinmonitoring and Rosnedra).
The remaining 24 sites, starting with the presidential one and ending with the CEC, did an even easier job: no HTTPS, no problem. SVR - why do we need a secure connection? FSB - report the preparation of a terrorist attack via HTTP! FSO - we have nothing to hide, you too. We do not know for sure, of course, but, apparently, there is some kind of logic: tea is not a bank's website and not some VKontagtag, you can do without a secure connection.
In general, everything that today, for several thousand rubles a year, provides any more or less decent virtual hosting: a normal SSL certificate from Let's Encrypt, an up-to-date version of a web server and cryptographic libraries with smart settings, most Russian authorities still not yet available. But everyone, hey, has some kind of subordinate GIVTs with the appropriate state and budget ...