Secure Browsing in Local Government: The Case of Portugal

Abstract

This article addresses the adoption and use of Hypertext Transfer Protocol Secure (HTTPS) in the entry pages of the official websites of all (308) Portuguese municipalities. This is relevant because such websites are typically used to provide transactional services to citizens, and citizens need to trust that websites are authentic and that confidentiality and integrity of the information exchanged is assured in the communication process. Automated and, whenever needed, manual analyses were used to investigate the entry pages. Specifically, we checked for the existence of an HTTPS site; the correctness of website certificates and their certification chain; coherence between contents of the HTTP and HTTPS versions of websites; redirection from the HTTP version of a website to its HTTPS version; the existence of resources fetched using HTTP in HTTPS versions of websites; and exploitation of HSTS. A Quality Indicator was then defined and a classification of the municipalities into quality groups was produced. Possible determinants for the results obtained by the municipalities were also investigated. The general conclusion is that there is still much to be done to assure that citizens can communicate securely with the websites of all Portuguese municipalities, since only 3.6% of the municipalities were considered good, while 46.1% do not guarantee the minimum conditions. We argue that these results are associated with the fact that most Portuguese municipalities do not have the critical technical and managerial mass to correctly implement and maintain their websites. To mitigate this limitation, we propose the dissemination of technical instructions on how to correctly configure and deploy municipal HTTPS websites and the creation of shared services between the smaller municipalities.