We tested the portals of government services using new methods that assess the reliability of HTTPS connections with them and the level of protection against XSS, and also compared them with the sites of social networks, banks, transport and service companies. The result is somewhat predictable (everything is bad with the security of electronic public services), but in some ways it is not (most sites from the "control group" are not doing better), but let's talk about everything in order.
Thus, we investigated three state services portal - the all-Russian , Moscow and Moscow Region - by new methods of calculation HTTPS Reliability Index and the Index of protection against the XSS , invented for the project "Monitor gossaytov" .
We investigated not only the main hosts of the portals, but entire "pools" of hosts, i.e. all discovered hosts from which these portals download resources in the process of receiving electronic government services by citizens: www.gosuslugi.ru, oplata.gosuslugi.ru, lk.gosuslugi.ru, etc. For comparison, we also examined the sites Vkontakte , Odnoklassniki , Sberbank Online , personal accounts of subscribers of Beeline , Russian Post , Russian Railways , Aeroflot, and an authorization portal for Yandex services .
The results were published in the report "Public Service Portals: Imaginary Security", whose name is quite eloquent: the HTTPS reliability index of the Moscow region portal of public services was 37 points, the all-Russian - 12, and the Moscow - 11 out of 108 possible.
These points were the sum of the Ingress Controller's self-signed TLS certificate, exposed to the Network as a website certificate, SSL support in 2021, unclosed CVE-2014-3566 (POODLE), CVE-2016-2183 / CVE-2016- 6329 (SWEET32), CVE-2016-2107 (OpenSSL Padding Oracle) and other miracles on servers whose software has not been updated for years, and the settings befit a beer tent site rather than a government portal that processes and stores personal, financial and other sensitive information of millions Russians, "protecting" it in the same year 2021 with a cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA. If someone has not caught the sarcasm, then all the algorithms used in this cipher suite are unreliable or vulnerable.
For comparison, the index of the Aeroflot website was 60 points, and the social networks Vkontakte and Odnoklassniki - 57 and 58 points, respectively.
Yes, your eyesight does not fail you: Sberbank Online has one of the worst ratings. If you don’t believe it, check it out, familiarize yourself with the technique, with explanations to it , find flaws, poke your nose in them - we will be grateful and we will revise it.
Not the best results for the portals of public services and in the XSS Security Index: 0 points for the All-Russian and 10 points for the Moscow and Moscow Region. Among the third-party resources uploaded to these portals are maps, "free" libraries, fonts, analytics systems and further with all the stops from the standard set of a novice web developer with a budget of 5000 rubles. Only the Moscow portal, which loads its visitors with the resources of the AdFox advertising network, was distinguished by its originality.
In the control group, social media portals are again in the lead, although their result cannot be called outstanding. The Russian Railways website, like the All-Russian portal of public services, did not receive a rating at all, since does not meet any of the criteria taken into account in its preparation. However, Odnoklassniki were literally one step away (or rather, a point) from a higher league.
Again the diagram
And here, in addition to the traditional discussion about why corporations of the radiant beaver seek to crawl to every site on the Internet - out of altruistic concern for the common good or a selfish desire to control everything and everything,
Well, all these prohibitions to use information systems located outside of the Russian Federation, provide remote access to the software used by unauthorized persons and transfer information to them, including "telemetry" - are taken into account only if
The question, of course, is not for the Khabrovites, so we are going to ask it to FSTEK or FSB, if they are not very busy coming up with another convincing explanation of