Hello there
After a conversation that started with visiting https://rtionline.gov.in, I was curious about how many gov.in domains were serving web content, and how many of those were serving web content securely?
It turns out, not very many.
Looking at all the 385 domains currently visible under gov.in, 245 respond to web(80) requests - 63% are webs.
Of those, 78 attempt to use SSL - 32% attempt using SSL.
Only 32 are available over SSL without any warnings - 41% use SSL correctly.
And the remaining 46 use invalid SSL certificates - 59% use invalid SSL certificates.
This points at two different problems:
-
Most sites don’t use SSL This isn’t great for obvious reasons that I won’t go into. SSL can be an important first step in guaranteeing people imporant security rights on the internet.
-
Most sites that try to use SSL are configured incorrectly Only 13% of gov.in domains use ssl correctly. Because domains that should be available over https would trigger browser warnings, users(people) would often find themselves abandoning the site. Browsers, for good reason, complain loudly when they come across an invalid certificate, so this poses a real accessibility problem.
This could happen for many reasons the most common appears to be mismatched hostnames.
Let’s look at one misconfiguration.
u'tejas.gov.in': requests.exceptions.SSLError(requests.packages.urllib3.exceptions.SSLError(requests.packages.urllib3.packages.ssl_match_hostname.CertificateError("hostname 'tejas.gov.in' doesn't match either of '*.web-hosting.com', 'web-hosting.com'"))),
This looks like someone tried to follow along with a tutorial on how-to-ssl and failed to generate correct certs.
Let’s look at another.
u'spl.gov.in': requests.exceptions.SSLError(requests.packages.urllib3.exceptions.SSLError(requests.packages.urllib3.packages.ssl_match_hostname.CertificateError("hostname 'spl.gov.in' doesn't match either of 'www.vssc.gov.in', 'vssc.gov.in'"))),
And this looks like someone copied the ‘wrong’ certificate over. A lot of these look like they could be fixed fairly easily, but it makes the case that SSL configuration can be hard.
Finally, it appears more sites use SSL incorrectly than not. In the words of a now very famous man.
Sad!
I’ve posted the script used to collect data and the results, including the offending sites, here.
I’ve only recently started writing again. Consider yelling at me about anything on Twitter.