Implementing HTTPS for Secure Web Connections: Information Technology Policy Implementation Notice (ITPIN)
ITPIN No.: 2018-01
Date: June 27, 2018
On this page
1.1 The purpose of this Information Technology Policy Implementation Notice (ITPIN) is to direct departmentsFootnote 1 to implement Hypertext Transfer Protocol Secure (HTTPS) for web connections.
2.1 This ITPIN applies to all publicly accessible Government of Canada websites and web services.
3. Effective date
3.1 This ITPIN is effective as of June 27, 2018
4.1 This ITPIN applies to all departments that are subject to the Policy on Management of Information Technology.
Departments, agencies and organizations in the Government of Canada not subject to the Policy on Management of Information Technology are encouraged to abide by this ITPIN.
The heads of the following organizations are solely responsible for monitoring and ensuring compliance with this ITPIN within their organizations:
- Office of the Auditor General
- Office of the Chief Electoral Officer
- Office of the Commissioner of Lobbying of Canada
- Office of the Commissioner of Official Languages
- Office of the Public Sector Integrity Commissioner of Canada
- Offices of the Information and Privacy Commissioners of Canada
5.1 Canadians rely on the Government of Canada to provide secure digital services in a way that protects the information they provide to the government. Many government services collect personal information from users or present information to them that they then use to make important decisions. Unencrypted Hypertext Transfer Protocol (HTTP) connections to publicly accessible government websites and web services are vulnerable to manipulation and impersonation, and can expose sensitive user information.
5.2 Canadians must be confident that they are accessing a legitimate service and that their connections remain private and free from interference. By applying specific security standards that have been widely adopted in industry, departments can ensure the integrity and confidentiality of their communications with Canadians. This includes implementing the HTTPS protocol which provides a layer of protection by encrypting connections using Transport Layer Security (TLS). HTTPS, along with approved encryption algorithms, offers a level of security and privacy that users expect from Government of Canada web services. In addition, whilst using modern web browsers, a secure connection will always be initiated when HTTP Strict Transport Security (HSTS) is configured.
5.3 Implementing HTTPS is only one aspect of a secure digital service. Since configuring HTTPS will have an impact on enterprise visibility into these connections, departments will need to be more vigilant in safeguarding their systems. Good application security and system security practices such as patch management are crucial for supporting the delivery of reliable digital services. Appendix A provides additional security considerations for departments.
6.1 Departments are required to implement safeguards to ensure that all publicly accessible government websites and web services are configured to provide service only through a secure connection, in accordance with Section 6.2.4 of the Policy on the Management of Information Technology and the Policy on Government Security. This includes implementing a secure web connection that:
- 6.1.1 is configured for HTTPS (and redirected from HTTP)
- 6.1.2 has HSTS enabled
- 6.1.3 implements TLS 1.2, or subsequent versions, and uses supported cryptographic algorithms and certificates, as outlined in CSE’s
- 6.1.4 disables known-weak protocols such as all versions of Secure Sockets Layer (SSL) (e.g. SSLv2 and SSLv3) and older versions of TLS (e.g. TLS 1.0 and TLS 1.1), as per CSE ITSP.40.062
- 6.1.5 disables known-weak ciphers (e.g. RC4 and 3DES)
6.2 This direction must be applied as follows:
- 6.2.1 Newly developed websites and web services must adhere to this ITPIN upon launch.
- 6.2.2 Websites and web services that involve an exchange of personal information or other sensitive information must receive priority following a risk-based approach, and migrate as soon as possible.
- 6.2.3 All remaining websites and web services must be accessible through a secure connection, as outlined in Section 6.1, by September 30, 2019.
6.3 Departments must provide an up-to-date list of all domain and sub-domains for their publicly-accessible websites and web services, within 45 days of issuance of the ITPIN, using the following website: Submit your institution's domains. Departments are expected to submit requests for new domains to the Principal Publisher Service Desk.
6.4 Departments who cannot implement all the requirements of the ITPIN must apply to GC Enterprise Architecture Review Board (GC EARB) for an exemption with a rationale to justify the request. Departments should contact the CIOB-DPPI IT-Division-TI <ZZCIOBDP@tbs-sct.gc.ca> mailbox for requirements for submitting an exemption request.
6.5 To assist departments in measuring compliance, a dashboard will be established. Additional technical assistance and best practices to aid in the implementation of this ITPIN is available at: Secure digital services.
7.1 For interpretation of any aspect of this ITPIN, contact Treasury Board of Canada Secretariat Public Enquiries.
7.2 Individuals at departments should contact their departmental information technology group for any questions regarding this ITPIN.
7.3 Individuals from a departmental information technology group may contact the TBS Cyber Security (ZZTBSCYBERS@tbs-sct.gc.ca) mailbox for interpretations of this ITPIN.
8.1 Related policy instruments
- Policy on Management of Information Technology
- Policy on Government Security
- Policy on Privacy Protection
- Policy on Access to Information
- Directive on Departmental Security Management
- Operational Security Standard: Management of Information Technology Security (MITS)
- Guidance on Implementing the Standard on Web Accessibility
8.2 Additional Guidance
8.2.1 Government of Canada references
- CSE ITSG-33: Overview: IT Security Risk Management: A Lifecycle Approach
- CSE ITSB-89v3: Top 10 IT Security Actions to Protect Government of Canada Internet-Connected Networks and Information
- CSE ITSP.30.031 V2: User Authentication Guidance for Information Technology Systems
- CSE ITSP.40.062: Guidance on Securely Configuring Network Protocols
- CSE 40.111: Cryptographic Algorithms for Unclassified, Protected A, and Protected B Information
8.2.2 Other References
- Mozilla Foundation
- NIST IR 7298 Revision 2, Glossary of Key Information Security Terms (PDF, 1,287 KB);
- United States Digital Government Strategy
- NIST SP800-101 Guidelines on Mobile Device Forensics (PDF, 1,308 KB)
- NIST SP800-95 Guide to Secure Web Services (PDF, 1,191 KB)
- Open Web Application Security Project (OWASP)
- cryptographic algorithm
- A well-defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output. (Source: NIST IR 7298 Revision 2)
- digital services
- Digital services include the delivery of digital information (i.e. data or content) and transactional services, such as online forms, across a variety of platforms, devices and delivery mechanisms, such as websites, mobile applications, and social media). (Source: United States Digital Government Strategy)
- Hypertext Transfer Protocol (HTTP)
- A standard method for communication between clients and web servers. (Source: NIST SP800-101)
- HTTP Secure (HTTPS)
- HTTP transmitted over Transport Layer Security (TLS). (Source: NIST SP800-95)
- HTTP Strict Transport Security (HSTS)
- Allows a website to inform the browser that it should never load the site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS instead. During page loading, the website returns the Strict-Transport-Security command in the webpage header, which is recorded by the user’s browser. Once recorded, all future attempts to load the site using HTTP will automatically use HTTPS instead. (Source: Mozilla Foundation, Dev docs)
- Public facing
- A public-facing website or web application is one that can be accessed by individuals and businesses outside the Government of Canada. (Source: Guidance on Implementing the Standard on Web Accessibility)
- sensitive information
- Information that if compromised would reasonably be expected to cause an injury. Sensitive information includes all information that falls within the exemption or exclusion criteria under the Access to Information Act and the Privacy Act. Sensitive information also includes controlled goods and other information and assets that have regulatory or statutory prohibitions and controls. (Source: Policy on Government Security)
- Transport Layer Security (TLS)
- Provides privacy and data integrity between two communicating applications. It is designed to encapsulate other protocols, such as HTTP. (Source: NIST SP800-95)
- web service
- A software component or system designed to support interoperable machine- or application-oriented interaction over a network. A web service has an interface described in a machine¬-processable format. Other systems interact with the web service in a manner prescribed by its description using Simple Object Access Protocol (SOAP) messages, typically conveyed using HTTP with an Extensible Markup Language (XML) serialization in conjunction with other web-related standards. (Source: NIST SP800-95)
Appendix A – Security Considerations
To protect GC electronic networks, devices and information, the following is a non-exhaustive list of security considerations that can be implemented in a layered manner to support a defence-in-depth approach for web services and minimize opportunities for cyber attacks:
- Deploy modern operating systems (OS) and applications that are maintained with supported, up-to-date, and tested versions of software.
- Actively manage software vulnerabilities, including fixing known vulnerabilities quickly following a timely patch maintenance policy for OS and applications, and taking other mitigating steps, where patches can’t be applied.
- Implement appropriate host-based protections to protect systems against both known and unknown malicious activity.
- Minimize available services and control connectivity by removing or disabling all non-essential ports and services as well as removing unnecessary accounts from systems.
- Enable system logging to improve the ability to detect and identify anomalous behaviours, perform system monitoring, and to assist with incident response and forensic analysis of compromised systems.
- Carefully control and manage privileges assigned to users and administrators. Provide a reasonable (but minimal) level of system privileges and rights needed for their role.
- Use strong authentication mechanisms (for example, multi-factor authentication) where possible to protect from unauthorized access.
- Design web services so that they are protected from common security vulnerabilities such as SQL injection and others described in widely-used publications such as the Open Web Application Security Project (OWASP) Top 10.
For more information on best practices, refer to Communications Security Establishment’s (CSE’s) IT security advice and guidance.
Report a problem or mistake on this page
- Date modified: