Russian state sites: an illusion of security
In 2016, we asked ourselves: how many federal government websites support HTTPS? We found out , are you ready? In fact - 2 (in words: two, Karl!) Sites out of 85. Formally - 32 supported, ie. HTTPS was enabled on the servers, but then everything rested on traditional Russian slovenliness: the SSL certificate was expired, self-signed, or even from another site, the HTTPS connection automatically switches to HTTP or redirects to the site's admin panel, the web server is vulnerable to ROBOT, POODLE, and others excesses bad, HTTPS connection only via SSL and other children of revelry.
Therefore, even according to our modest criteria - a valid SSL certificate, support for TLS 1.2 and refusal to use vulnerable or unreliable crypto algorithms such as DH and RC4 - in fact, only 2 sites supported HTTPS (remember, out of 85 surveyed).
Today we asked the same question again, although we toughened up the criteria somewhat, but even so the situation was significant better : 27 out of 82 sites can be considered to actually support HTTPS, and 23 more - conditionally support it. Conditional in the sense that under certain conditions, depending to a greater extent on the client side: the current version of the browser, configured according to the mind, HTTPS was indicated with handles - the connection is protected, they did not provide any of the above - depends on.
Another 8 sites only imitate support for HTTPS (all the same slovenliness): self-signed (Assay Office) and curves (Ministry of Defense and FADN) SSL certificates, vulnerable cipher suites (Ministry of Economic Development), in some places they still have not heard about software updates and their web -servers shine on the Net with friendly banners “We have ROBOT & amp; POODLE! " (Ministry of Construction, Rosreestr, Rosfinmonitoring and Rosnedra).
The remaining 24 sites, starting with the presidential one and ending with the CEC, did an even easier job: no HTTPS, no problem. SVR - why do we need a secure connection? FSB - report the preparation of a terrorist attack via HTTP! FSO - we have nothing to hide, you too. We do not know for sure, of course, but, apparently, there is some kind of logic: tea is not a bank's website or some VKontagtag, you can do without a secure connection.
In general, everything that today for a few thousand rubles a year provides any more or less decent virtual hosting: a normal SSL certificate from Let's Encrypt, an up-to-date version of a web server and cryptographic libraries with smart settings, most Russian authorities still not yet available. But everyone, hey, has some subordinate GIVTs with the appropriate state and budget....