A survey by the security company DigiCert reveals that 47% of Brazil’s .gov domains do not have a TLS or SSL digital certificate, that is, they do not use an HTTPS connection. This means that more than 9 thousand domains from the federal, state and municipal governments can transmit form data over the internet without any protection: we find vulnerable login pages, anti-telemarketing registers and websites for IPTU consultation.
DigiCert accounted for a total of about 19,900 .gov domains in Brazil. Of these, 10,551 use HTTPS with TLS or SSL certificate, including the federal government’s unique Gov.br portal launched this year. You will see a padlock in the address bar indicating that the connection is secure.
Of course, as we have explained here, a connection safe does not mean that the site it’s safe. A study by security consultancy PhishLabs showed that half of the phishing sites adopt HTTPS to appear more legitimate: the data you enter will be protected from intruders, but will fall into the hands of a criminal.
In other words, HTTPS is a necessary, but not sufficient, condition for a secure website. So it is a problem that 9,356 .gov.br domains do not even adopt this type of protection; remember that you can get SSL certificates for free from Let’s Encrypt.
For example, SIGESP (People Management System), for Ministry of Health servers, has a login page without HTTPS – the password is transmitted in plain text. The SIG (Management Information System), owned by the state-owned Ebserh (Brazilian Hospital Services Company), is also unprotected; it allows you to login and recover your password via CPF.
State and municipal sites have login and registration without HTTPS
This is not restricted to the federal sphere only. The webmail portal of the city of Manaus (AM) does not have HTTPS: again, login and password are transmitted in plain text.
And, as we revealed earlier in Tecnoblog, several sites for anti-telemarketing registration still follow without HTTPS, transmitting personal data, login and password without protection. This is the case of the “do not disturb” systems in Alagoas, Ceará, Maranhão, Mato Grosso do Sul, Paraíba and Rio Grande do Sul. (Procon-SP only adopted this standard in August 2019.)
The website to check eCNH schedules at São Paulo’s DMV does not have HTTPS. The same occurs in the system of the municipalities of Campo Grande (MS) and Rio de Janeiro to obtain a duplicate of the IPTU.
The Rio page for consulting the ITBI (tax on the transmission of real estate), in addition to not having HTTPS, still uses URLs that end in “.exe” – which, fortunately, do not download any executable files.
Pernambuco’s GNRE (National Guide for the Collection of State Taxes) portal is without HTTPS. And the city of Ubatuba (SP) has a service portal all without HTTPS; interestingly, the city hall’s website already uses an encryption certificate.
Some domains of the Federal Revenue and Caixa Econômica Federal do not use HTTPS, but perhaps this is less worrying: they are just informational pages, without forms to enter personal data or login. Revenue service websites – such as CPF Regularization, for example – have an SSL certificate.