CFP last date
22 April 2024
Reseach Article

Investigating Secure Implementation of Government Web based Systems in Tanzania

by Aron Kondoro, Joel Mtebe
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 182 - Number 10
Year of Publication: 2018
Authors: Aron Kondoro, Joel Mtebe
10.5120/ijca2018917712

Aron Kondoro, Joel Mtebe . Investigating Secure Implementation of Government Web based Systems in Tanzania. International Journal of Computer Applications. 182, 10 ( Aug 2018), 6-14. DOI=10.5120/ijca2018917712

@article{ 10.5120/ijca2018917712,
author = { Aron Kondoro, Joel Mtebe },
title = { Investigating Secure Implementation of Government Web based Systems in Tanzania },
journal = { International Journal of Computer Applications },
issue_date = { Aug 2018 },
volume = { 182 },
number = { 10 },
month = { Aug },
year = { 2018 },
issn = { 0975-8887 },
pages = { 6-14 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume182/number10/29854-2018917712/ },
doi = { 10.5120/ijca2018917712 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-07T01:10:58.705959+05:30
%A Aron Kondoro
%A Joel Mtebe
%T Investigating Secure Implementation of Government Web based Systems in Tanzania
%J International Journal of Computer Applications
%@ 0975-8887
%V 182
%N 10
%P 6-14
%D 2018
%I Foundation of Computer Science (FCS), NY, USA
Abstract

The government of Tanzania has been adopting various web-based systems to improve public services to its citizens. With these systems being online, security and privacy have started to play a key role. Many systems use HTTP over Transport Layer Security (HTTPS) to secure their web front ends. However, many HTTPS implementations still suffer from several security and privacy problems. This study investigated the security of HTTPS implementations government web-based systems in Tanzania. Using a sample of 74 government web-based systems, an automated tool testssl was used to check for well-known HTTPS/SSL vulnerabilities, configuration mistakes, support for outdated and vulnerable protocols, and adherence to HTTPS best practices. Results show that 43% of web systems have serious HTTPS security issues due to vulnerabilities, and configuration mistakes. These issues can lead to system com- promise, disclosure of sensitive information, and loss of privacy to citizens. The study highlights these security issues that may have been overlooked and offers suggestions that may prevent them in the future

References
  1. Emad Abu-Shanab. Antecedents of trust in e-government services: an empirical test in Jordan. Transforming Government: People, Process and Policy, 8(4):480–499, oct 2014.
  2. Yakup Akgul. Web Site Accessibility, Quality and Vulnerability Assessment: a Survey of Government Web Sites in the Turkish Republic. Journal of Information Systems Engineering & Management, 1(4):1–13, 2016.
  3. Axel Arnbak, Hadi Asghari, Michel Van Eeten, and Nico Van Eijk. Security collapse in the HTTPS market. Communications of the ACM, 57(10):47–55, 2014.
  4. Olusesan M. Awoleye, Blessing Ojuloge, and Mathew O. Ilori. Web application vulnerability assessment and policy direction towards a secure smart government. Government Information Quarterly, 31(S1): S118–S125, 2014.
  5. Ionu-Daniel Barbu and Ioan Bacivarov. Heartbleed The Vulnerability That Changed the Internet. International Journal of Information Security and Cybercrime, 3(2):49–60, dec 2014.
  6. Karthikeyan Bhargavan and Leurent Gaëtan. Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN, 2016.
  7. Tegawendé F. Bissyandé, Jonathan Ouoba, Daouda Ahmat, Fréderic Ouédraogo, Cedric Béré, Moustapha Bikienga, Abdoulaye Sere, Mesmin Dandjinou, and Oumarou Sié. Vulnerabilities of government websites in a developing country: The case of Burkina Zaso. In Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, volume 171, pages 123–135, 2016.
  8. Jeremy Clark and Paul C. Van Oorschot. SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. In Proceedings - IEEE Symposium on Security and Privacy, pages 511–525, 2013.
  9. T. Dierks and E. Rescorla. RFC 5246 - The transport layer security (TLS) protocol - Version 1.2. In Network Working Group, IETF, pages 1–105, 2008.
  10. Alban Diquet. SSLyze - Fast and powerful SSL/TLS server scanning library, 2017.
  11. Thai Duong. BEAST, 2011.
  12. Zakir Durumeric and James Kasten. Analysis of the HTTPS certificate ecosystem. IMC ’13 Proceedings of the 2013 conference on Internet measurement conference, pages 291–304, 2013.
  13. Yoel Gluck, Neal Harris, Angelo Angel, and Prado. BREACH: REVIVING THE CRIME ATTACK. 2013.
  14. Google. Transparency Report, 2017.
  15. Nils Gruschka, Luigi Lo Iacono, and Christoph Sorge. Analysis of the current state in website certificate validation. Security and Communication Networks, 7(5):865–877, 2014.
  16. J. Hodges, C. Jackson, and A. Barth. HTTP Strict Transport Security (HSTS). Technical report, nov 2012.
  17. G. Irazoqui, M.S. Inci, T. Eisenbarth, and B. Sunar. Lucky 13 strikes back. ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pages 85–96, 2015.
  18. April King. Observatory by Mozilla, 2016.
  19. Arts Ministry of Information, Culture and Sports. Tanzania Government Portal: Welcome, 2017.
  20. Ministry of Works Transport and Communication. National Information and Communications Technology Policy, 2016.
  21. Bodo Möller, Thai Duong, and Krzysztof Kotowicz Google. This POODLE Bites: Exploiting the SSL 3.0 Fallback Security Advisory. 2014.
  22. OWASP. Transport Layer Protection Cheat Sheet - OWASP, 2017.
  23. Qualys. SSL Server Test (Powered by Qualys SSL Labs), 2017.
  24. Qualys. SSL/TLS Deployment Best Practices, 2017.
  25. Rapid Web Services. SSL Checker- Check SSL Certificate of Website with Free SSL Checker Tool, 2017.
  26. Ivan Ristic. SSL 3 is dead, killed by the POODLE attack — Qualys Blog, 2014.
  27. Juliano Rizzo and Thai Duong. Crime: Compression ratio info-leak made easy. In ekoparty Security Conference, 2012.
  28. Oystein Sæbø. E-government in tanzania: Current status and future challenges. In Electronic Government, pages 198–209. Springer Berlin Heidelberg, 2012.
  29. Santanu Sarkar, Sourav Sen Gupta, Goutam Paul, and Subhamoy Maitra. Proving TLS-attack related open biases of RC4. Designs, Codes, and Cryptography, 7 (1):231–253, 2015.
  30. William Schmidt. Open web application security project. Open Web Application Security Project, pages Vulnerability Table, paragraph 2, 2009.
  31. Suphannee Sivakorn, Iasonas Polakis, and Angelos D. Keromytis. The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information. In Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016, pages 724–742, 2016.
  32. Pawel Szalachowski, Laurent Chuat, Taeho Lee, and Adrian Perrig. RITM: Revocation in the Middle. apr 2016.
  33. Tanzania Communications Regulatory Authority. Quarterly Communications Statistics Report - June 2017, 2017.
  34. Ian Ventura-Whiting. SSLScan - Fast SSL Scanner download — SourceForge.net, 2013.
  35. Xiaoyun Wang and Hongbo Yu. How to Break MD5 and Other Hash Functions. pages 19–35. 2005.
  36. Dirk Wetter. Testing TLS/SSL encryption, 2017.
  37. Liang Zhang, David Choffnes, Dave Levin, Tudor Dumitras, Alan Mislove, Aaron Schulman, and Christo Wilson. Analysis of SSL certificate reissues and revocations in the wake of heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference - IMC ’14, pages 489–502, 2014.
  38. Jensen J. Zhao, Sherry Y. Zhao, and Sherry Y. Zhao. Opportunities and threats: A security assessment of state e-government websites. Government Information Quarterly, 27(1):49–56, 2010.
Index Terms

Computer Science
Information Sciences

Keywords

Web Security HTTPS TLS/SSL e-Government