News
Several Govt. websites face danger of attack
View(s):By Mimi Alphonsus
Scores of government websites are missing vital Secure Sockets Layer (SSL) certification—a basic component of cybersecurity that ensures a safe connection—thereby putting users’ sensitive data at risk, the Sunday Times has found.
In an independent analysis of 130 official websites, it was detected that at least 35 of them (around 27 percent) lack valid SSL certification.SSL’s encrypt data ensures that users’ information is secure when travelling from their browser to web servers.
Among the unsecured ones are popular websites that request users to submit personal data such as phone numbers, national identity card numbers, details of family members, certificate numbers, shipping details, usernames, and passwords. The Sunday Times chose not to identify unsecured websites.
An SSL encrypts data and provides the web server a key to that data without which a hacker will not be able to decrypt and make sense of the information. When there is no SSL, data is unencrypted and can easily be stolen or manipulated by an attacker who simply relies on or breaks into a user’s WiFi connection or an internet service provider’s network.
Without SSLs, sites become more vulnerable to security incidents like phishing scams and data breaches. Google also penalises websites that do not have SSL certifications, making them harder for users to find.
The lack of SSL certification, therefore, means that critical government websites become harder for the public to access—they show up less readily in searches, while Google also warns users that they are insecure, thereby discouraging their use.
Under a Cabinet decision taken in May last year, government organisations are required to comply with the Information and Cybersecurity Policy as set out by the Sri Lanka Computer Emergency Readiness Team (SLCERT), the main cyber security regulatory body. Using a secure connection during data transfer is one requirement set. However, the Sunday Times found that multiple government websites have violated this requirement.
Additionally, the Personal Data Protection Act passed in 2022 requires that entities handling data “ensure integrity and confidentiality of personal data” by taking measures including “encryption, pseudonymisation, anonymisation or access controls.” Lack of SSL certification on some websites could thus constitute a violation of the law.
The Sunday Times also came across official websites that used outdated versions of software, making them more vulnerable to attacks, including defacement, such as the one that took place against the Education Ministry website earlier this month. (See Page 16 for related story.)
The best way to say that you found the home of your dreams is by finding it on Hitad.lk. We have listings for apartments for sale or rent in Sri Lanka, no matter what locale you're looking for! Whether you live in Colombo, Galle, Kandy, Matara, Jaffna and more - we've got them all!