College Of

Electronic Technology
Department of Communication

Basic Flaws in Governmental Sites

Security

Report Was Submitted in Partial Fulfillment of The Requirements

for The midterm Exam in Technical Reports.

‫ عبدالملك عبدالرحمن أحمد عكاشة‬:‫إعداد الطالب‬

‫ حمزة أبوبكر عمر الميموني‬.‫ د‬:‫إشراف‬

(‫)هندسة تصنيع الطيران المدني‬

‫الفصل الثالث التخصص اتصاالت المجموعة الثانية‬

02/June/2023

i
Table of Contents
1.Introduction.........................................................................................1
2.Common Government Security Vulnerabilities................................3
2.1 The Usage of HTTP instead of HTTPS........................................3
2.2 Inactive Government sites not being disposed............................4
2.2.1 Risks of Inactive Governmental Sites....................................6
2.3 client-side authentication..............................................................6
2.3.1 vulnerabilities associated with client-side authentication....7
3. Solutions............................................................................................. 8
Reference:...............................................................................................9

ii
1.Introduction
Website security is crucial for governmental sites for several reasons.
Here are some of the reasons based on the search results:

1. Governments are responsible for sensitive data and information, and

any loss of data can lead to financial theft and loss of resident trust.
Governments become liable for any falsification and abuse of the stolen
information. Therefore, it is essential to keep the website safe from
hackers to prevent data loss and maintain resident trust. [1]

2. Government websites are vulnerable to cybercrime threats like

hacking and data breaches. Therefore, expert-level cybersecurity is
necessary to protect sensitive national data, investments, and citizens.
[2]

3. Government institutions are entrusted with sensitive data and

important responsibilities. A data breach or cyberattack can lead to
significant financial losses and reputational damage. Therefore,
cybersecurity is essential to protect the government's sensitive data and
maintain public trust. [3]

4. Governments rely heavily on technology to run day-to-day activities,

and most of the services provided by governments are available from
websites. Any country has countless websites linked with the
government that ensures the country is running effectively. Therefore,
website security is vital to protect sensitive national data and provide
uninterrupted services. [4]
1
5. Website security refers to the protection of personal and
organizational public-facing websites from cyberattacks. Governmental
sites are vulnerable to cyberattacks, and website security is necessary to
prevent data breaches and maintain public trust. [5]

In summary, website security is essential for governmental sites to

protect sensitive data, prevent financial theft, maintain public trust, and
provide uninterrupted services. Governments should focus on expert-
level cybersecurity, continuous automated and human monitoring, and
strong cybersecurity laws to prevent, investigate, and take actions
against cybercrimes.

2
2.Common Government Security
Vulnerabilities

2.1 The Usage of HTTP instead of HTTPS

[6]
The picture above is a governmental website that is used to publish
Results of Primary School Degree.
Where you can notice that there’s a lock saying that it’s insecure, that’s
because it uses HTTP instead of HTTPS, so why is it insecure and why
should governmental site avoid it, HTTP (Hyper Text Transfer Protocol)
and HTTPS (Hyper Text Transfer Protocol Secure) the only Difference
lays behind the s which means secure but how is it more secure.

3
 1. Unencrypted HTTP connections create a privacy vulnerability and
expose potentially sensitive information about users of
unencrypted websites and services. Data sent over HTTP is
susceptible to interception, manipulation, and impersonation. The
people expect government websites to be secure and their
interactions with those websites to be private. [7]

2. HTTPS use port 443 which provides an encrypted connection and

transmits date at transport layer, Whereas HTTP use port 80 which
provides an unencrypted connection and transmits date at
application layer, which makes it more susceptible to data
breaches. [8]

2.2 Inactive Government sites not being

disposed of

[9]

4
 [10]

Both of the picture above indicate that they are governmental website
used for the renewal process for a passport but which one is the real one
you my ask, well the answer is both one of them is an inactive site
without supervision, the picture below is of a website that scans domain
names and sees who’s the owner and if its active or not.

[11]

5
2.2.1 Risks of Inactive Governmental Sites

1. Having Inactive governmental sites can lead to a loss of trust among

residents who rely on the site for information and services. This can
damage the reputation of the government and lead to a decrease in
public support.

2. Inactive governmental sites can be vulnerable to security breaches,

which can lead to the loss of sensitive data and information.
Governments can become liable for any falsification and abuse of the
stolen information. Security breaches can also lead to financial theft and
loss of data.

3. Governmental sites are often targeted by hackers, which means that

inactive sites are vulnerable for hijacking attempts, that could result the
hacker using the site for scamming people.

2.3 client-side authentication

client-side authentication is a method of verifying the identity of a user
on the client-side, rather than on the server-side.
The picture below shows how someone can change the requirement for
registering in Governmental site and by just pressing Ctrl+Shift+I.

6
 [12]

2.3.1 vulnerabilities associated with client-

side authentication

- Any attacker may read the source code and reverse-engineer the
authentication mechanism to access parts of the application which would
otherwise be protected.[13]

- Client-side authentication can be vulnerable to brute-force attacks if

the application has poor brute-force protection.[14]

- Attackers can exploit client-side authentication by using malicious

JavaScript to take advantage of a bug in a browser.[15]

7
- Client-side authentication is extremely weak and may be breached
easily, which means that attackers can bypass the authentication check
by modifying the client code.[16]

- If the client-side authentication is combined with server-side

authentication, attackers can sniff the hash and use it to gain access to
the server.[17]

3. Solutions
Here is a step-by-step guide on how to move a website from HTTP to
HTTPS:
1. Buy an SSL certificate: An SSL certificate is required to enable
HTTPS
on your website. You can buy an SSL certificate from a trusted
certificate authority or use a free SSL certificate provider like Let's
Encrypt.
2.Redirciting inactive website link to UpToDate website.
3.Having a banner telling incoming users that the site is inactive, and
they avoid interacting with it.
4. Redirect HTTP to HTTPS: You need to redirect all HTTP traffic to the
equivalent HTTPS page.
5. Migrating everything from the old into the new one, and shutting off
the old web server completely.
6. Governments should avoid using client-side authentication and
instead use server-side authentication to ensure the security of user data.

8
Reference:
[1] https://www.civicplus.com/blog/ce/the-importance-of-website-
security
[2] https://www.ifsight.com/insights/your-government-website-deserves-
expert-level-cybersecurity
[3] https://www.checkpoint.com/cyber-hub/cyber-security/what-is-
cybersecurity-for-governments/
[4] https://www.scarlettcybersecurity.com/why-is-cybersecurity-
important-to-the-government
[5] https://www.cisa.gov/news-events/news/website-security
[6] http://161.47.21.187/finalresults/
[7] https://https.cio.gov/
[8] https://parablu.com/what-is-port-443-and-why-it-is-imperative-to-
your-dr-plan/
[9] https://ejraat.gov.ly/procedure/48?l=ar
[10] https://lpa.gov.ly/
[11] https://who.is/whois/lpa.gov.ly
[12] https://tve.gov.ly/ar/STU/Index
[13] https://cwe.mitre.org/data/definitions/603.html
[14] https://www.strongdm.com/blog/authentication-vulnerabilities
[15] https://security.stackexchange.com/questions/213078/what-are-
client-side-exploits
[16] https://cwe.mitre.org/data/definitions/603.html
9
[17] https://security.stackexchange.com/questions/91762/what-are-the-
disadvantages-of-combining-client-side-and-server-side-authenticati

10