Security Audit of www.passports.gov.au

Brendan Molloy made this Freedom of Information request to Department of Foreign Affairs and Trade

The request was refused by Department of Foreign Affairs and Trade.

From: Brendan Molloy

Delivered

Dear Department of Foreign Affairs and Trade,

It has recently come to my attention that www.passports.gov.au does not meet Control: 0482 (Page 209 of the ASD's Information Security Manual http://www.asd.gov.au/publications/Infor... ) which stipulates: "Agencies must not use versions of SSL prior to version 3.0."

Unfortunately this has been found to not be the case:

https://www.ssllabs.com/ssltest/analyze....

One can however see that it isn't very difficult to attain a significantly more appropriate level of security as can be seen in these examples:

https://www.ssllabs.com/ssltest/analyze....
https://www.ssllabs.com/ssltest/analyze....

I hereby request, under the Freedom of Information Act (1982),
copies of the following documents:

a) Documents relating to security auditing policy used for determining the security of DFAT websites. This may for example include (but certainly are not limited to):
i) Documents pertaining to minimum standards for SSL/TLS certificates, and
ii) Documents pertaining to penetration testing that has been undertaken by the department to determine security standards have been met;
b) Reports from any security audits conducted on the www.passports.gov.au website in the last 5 years; and
c) Documents regarding changes made to the www.passports.gov.au website since January 2009.

I also make the application that all costs for the processing of
this request be waived on the grounds that the release of this
information is in the public interest, as the public has the right to know whether their information is being treated in a responsible manner when applying for a passport online.

--
Regards,

Brendan Molloy
Councillor
Pirate Party Australia

Link to this

From: FOI
Department of Foreign Affairs and Trade

Our Ref: 1404F736

Dear Mr Molloy

Re: Freedom of Information (FOI) Request

Thank you for your email dated 13 January in which you seek access under the Freedom of Information Act 1982 to:

“a) Documents relating to security auditing policy used for determining the security of DFAT websites. This may for example include (but certainly are not limited to):
i) Documents pertaining to minimum standards for SSL/TLS certificates, and
ii) Documents pertaining to penetration testing that has been undertaken by the department to determine security standards have been met;
b) Reports from any security audits conducted on the www.passports.gov.au website in the last 5 years; and
c) Documents regarding changes made to the www.passports.gov.au website since January 2009.”
Searches are now being undertaken in relevant areas of the Department for documents relevant to your request. I will contact you again once the searches have been completed.

Scope of request:
If it emerges that the scope of your request is unclear or is too large for processing, the Department will contact you to discuss re-scoping the request.

Charges:
Please note that the Department issues charges for processing FOI requests. We will advise you of these charges when we are in a position to estimate the resources required to process your request.

Should you require any further information, please do not hesitate to contact me on (02) 6261 1701, or by return email.

Please note a copy of this email has been sent to Ms Indra McCormick, Director, Freedom of Information and Privacy Law Section, Domestic Legal Branch for her information.

Yours sincerely

Lindy Judge
Executive Officer– FOI and Privacy Law Section
Department of Foreign Affairs and Trade
____________________________________________________________________

Domestic Legal Branch                                                            E | [email address]
International Organisations and Legal  Division                 T | +61 2 6261 1701

Lindy Judge

show quoted sections

Link to this

From: FOI
Department of Foreign Affairs and Trade


Attachment Molloy charges letter.PDF.pdf
109K Download View as HTML


Dear Mr Molloy,
Please find attached charges notification of your FOI request dated 13 January 2014.

Regards,

Lindy Judge
Executive Officer– FOI and Privacy Law Section
Department of Foreign Affairs and Trade
____________________________________________________________________

Corporate Legal Branch    E | [email address]
Legal  Division                  T | +61 2 6261 1701

show quoted sections

Link to this

From: Judge, Lindy
Department of Foreign Affairs and Trade


Attachment MOLLOY s27 notification to applicant signed.PDF.pdf
27K Download View as HTML


FOI REF: 1401-F736
File No: 14/1377

Dear Mr Molloy,

A preliminary examination of the documents relevant to your request has confirmed the Department needs to consult with a third party in relation to business information, pursuant to section 27 of the FOI ACT.

Please find attached formal notification of the required consultation. Please note that section 15(6) of the FOI Act provides that the statutory timeframe for providing an access decision is extended by another 30 days in order to undertake this consultation. The statutory timeframe will now expire on 14 March 2014.

Should you have any enquiries regarding this matter please don't hesitate to contact me.

Regards,

Lindy Judge
Executive Officer- FOI and Privacy Law Section
Department of Foreign Affairs and Trade
____________________________________________________________________

Corporate Legal Branch E | [DFAT request email]
Legal Division T | +61 2 6261 1701

Link to this

From: Brendan Molloy

Delivered

I withdraw the request.

--
Regards,

Brendan Molloy
Councillor
Pirate Party Australia

Link to this

From: FOI
Department of Foreign Affairs and Trade

Dear Mr Molloy,
Thank you for advising the Department of your decision to withdraw your FOI request for copies of the following documents:

a) Documents relating to security auditing policy used for determining the security of DFAT websites. This may for example include (but certainly are not limited to):
i) Documents pertaining to minimum standards for SSL/TLS certificates, and
ii) Documents pertaining to penetration testing that has been undertaken by the department to determine security standards have been met;
b) Reports from any security audits conducted on the www.passports.gov.au website in the last 5 years; and
c) Documents regarding changes made to the www.passports.gov.au website since January 2009.

Regards,

Lindy Judge
Executive Officer– FOI and Privacy Law Section
Department of Foreign Affairs and Trade
____________________________________________________________________

Corporate Legal Branch    E | [email address]
Legal  Division                  T | +61 2 6261 1701

show quoted sections

Link to this

Peter Lawler left an annotation ()

As the person who 'discovered' the situation on the Passports website, I deeply appreciate what you've done here Brendan.
I understand your decision to not pursue the matter given the amount of money DFAT wants from you.
As such, I've contacted one of my parliamentary representatives, Senator Whish-Wilson, and asked him to pose (as near as possible) exactly the same questions to DFAT.

Link to this

From: Peter Lawler


Attachment RE Encryption and Cipher of Australian Gov t Passport website.txt
12K Download View as HTML

Attachment Internet Security Answers to QoNs 24 6 2014.pdf
83K Download View as HTML


Hi!
Please find attached all emails between myself and Senator
Whish-Wilson's office following up Mr Molloy's request regarding
www.passports.gov.au[1]

For the purposes of transparency and record, I think it'd be great if
this could be added to the cited FOI request, particularly the PDF
attachment of answers. I will host the PDF file elsewhere however I
think it'd be 'best practice' to also hold these records on the RTK site.

Regards,

Peter Lawler.

[1] https://www.righttoknow.org.au/request/s...

Link to this

Things to do with this request

Anyone:
Department of Foreign Affairs and Trade only: