Security Audit of www.passports.gov.au

Brendan Molloy made this Freedom of Information request to Department of Foreign Affairs and Trade

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was refused by Department of Foreign Affairs and Trade.

Dear Department of Foreign Affairs and Trade,

It has recently come to my attention that www.passports.gov.au does not meet Control: 0482 (Page 209 of the ASD's Information Security Manual http://www.asd.gov.au/publications/Infor... ) which stipulates: "Agencies must not use versions of SSL prior to version 3.0."

Unfortunately this has been found to not be the case:

https://www.ssllabs.com/ssltest/analyze....

One can however see that it isn't very difficult to attain a significantly more appropriate level of security as can be seen in these examples:

https://www.ssllabs.com/ssltest/analyze....
https://www.ssllabs.com/ssltest/analyze....

I hereby request, under the Freedom of Information Act (1982),
copies of the following documents:

a) Documents relating to security auditing policy used for determining the security of DFAT websites. This may for example include (but certainly are not limited to):
i) Documents pertaining to minimum standards for SSL/TLS certificates, and
ii) Documents pertaining to penetration testing that has been undertaken by the department to determine security standards have been met;
b) Reports from any security audits conducted on the www.passports.gov.au website in the last 5 years; and
c) Documents regarding changes made to the www.passports.gov.au website since January 2009.

I also make the application that all costs for the processing of
this request be waived on the grounds that the release of this
information is in the public interest, as the public has the right to know whether their information is being treated in a responsible manner when applying for a passport online.

--
Regards,

Brendan Molloy
Councillor
Pirate Party Australia

FOI, Department of Foreign Affairs and Trade

Our Ref: 1404F736

Dear Mr Molloy

Re: Freedom of Information (FOI) Request

Thank you for your email dated 13 January in which you seek access under the Freedom of Information Act 1982 to:

“a) Documents relating to security auditing policy used for determining the security of DFAT websites. This may for example include (but certainly are not limited to):
i) Documents pertaining to minimum standards for SSL/TLS certificates, and
ii) Documents pertaining to penetration testing that has been undertaken by the department to determine security standards have been met;
b) Reports from any security audits conducted on the www.passports.gov.au website in the last 5 years; and
c) Documents regarding changes made to the www.passports.gov.au website since January 2009.”
Searches are now being undertaken in relevant areas of the Department for documents relevant to your request. I will contact you again once the searches have been completed.

Scope of request:
If it emerges that the scope of your request is unclear or is too large for processing, the Department will contact you to discuss re-scoping the request.

Charges:
Please note that the Department issues charges for processing FOI requests. We will advise you of these charges when we are in a position to estimate the resources required to process your request.

Should you require any further information, please do not hesitate to contact me on (02) 6261 1701, or by return email.

Please note a copy of this email has been sent to Ms Indra McCormick, Director, Freedom of Information and Privacy Law Section, Domestic Legal Branch for her information.

Yours sincerely

Lindy Judge
Executive Officer– FOI and Privacy Law Section
Department of Foreign Affairs and Trade
____________________________________________________________________

Domestic Legal Branch                                                            E | [email address]
International Organisations and Legal  Division                 T | +61 2 6261 1701

Lindy Judge

-----Original Message-----
From: Brendan Molloy [mailto:[FOI #507 email]]
Sent: Monday, 13 January 2014 4:09 PM
To: FOI
Subject: Freedom of Information request - Security Audit of www.passports.gov.au

Dear Department of Foreign Affairs and Trade,

It has recently come to my attention that www.passports.gov.au does not meet Control: 0482 (Page 209 of the ASD's Information Security Manual http://www.asd.gov.au/publications/Infor... ) which stipulates: "Agencies must not use versions of SSL prior to version 3.0."

Unfortunately this has been found to not be the case:

https://www.ssllabs.com/ssltest/analyze....

One can however see that it isn't very difficult to attain a significantly more appropriate level of security as can be seen in these examples:

https://www.ssllabs.com/ssltest/analyze....
https://www.ssllabs.com/ssltest/analyze....

I hereby request, under the Freedom of Information Act (1982), copies of the following documents:

a) Documents relating to security auditing policy used for determining the security of DFAT websites. This may for example include (but certainly are not limited to):
i) Documents pertaining to minimum standards for SSL/TLS certificates, and
ii) Documents pertaining to penetration testing that has been undertaken by the department to determine security standards have been met;
b) Reports from any security audits conducted on the www.passports.gov.au website in the last 5 years; and
c) Documents regarding changes made to the www.passports.gov.au website since January 2009.

I also make the application that all costs for the processing of this request be waived on the grounds that the release of this information is in the public interest, as the public has the right to know whether their information is being treated in a responsible manner when applying for a passport online.

--
Regards,

Brendan Molloy
Councillor
Pirate Party Australia

-------------------------------------------------------------------

Please use this email address for all replies to this request:
[FOI #507 email]

Is [DFAT request email] the wrong address for Freedom of Information requests to Department of Foreign Affairs and Trade? If so, please contact us using this form:
https://www.righttoknow.org.au/help/cont...

Write your response as plain text. Only send PDF documents as a last resort. Government guidelines make it clear that PDF is not an acceptable format for you to use in the delivery of government information.
https://www.righttoknow.org.au/help/offi...

Disclaimer: This message and any reply that you make will be published on the internet. Our privacy and copyright policies:
https://www.righttoknow.org.au/help/offi...

If you find this service useful as an FOI officer, please ask your web manager to link to us from your organisation's FOI page.

-------------------------------------------------------------------

hide quoted sections

FOI, Department of Foreign Affairs and Trade

1 Attachment

Dear Mr Molloy,
Please find attached charges notification of your FOI request dated 13 January 2014.

Regards,

Lindy Judge
Executive Officer– FOI and Privacy Law Section
Department of Foreign Affairs and Trade
____________________________________________________________________

Corporate Legal Branch    E | [email address]
Legal  Division                  T | +61 2 6261 1701


-----Original Message-----
From: Brendan Molloy [mailto:[FOI #507 email]]
Sent: Monday, 13 January 2014 4:09 PM
To: FOI
Subject: Freedom of Information request - Security Audit of www.passports.gov.au

Dear Department of Foreign Affairs and Trade,

It has recently come to my attention that www.passports.gov.au does not meet Control: 0482 (Page 209 of the ASD's Information Security Manual http://www.asd.gov.au/publications/Infor... ) which stipulates: "Agencies must not use versions of SSL prior to version 3.0."

Unfortunately this has been found to not be the case:

https://www.ssllabs.com/ssltest/analyze....

One can however see that it isn't very difficult to attain a significantly more appropriate level of security as can be seen in these examples:

https://www.ssllabs.com/ssltest/analyze....
https://www.ssllabs.com/ssltest/analyze....

I hereby request, under the Freedom of Information Act (1982), copies of the following documents:

a) Documents relating to security auditing policy used for determining the security of DFAT websites. This may for example include (but certainly are not limited to):
i) Documents pertaining to minimum standards for SSL/TLS certificates, and
ii) Documents pertaining to penetration testing that has been undertaken by the department to determine security standards have been met;
b) Reports from any security audits conducted on the www.passports.gov.au website in the last 5 years; and
c) Documents regarding changes made to the www.passports.gov.au website since January 2009.

I also make the application that all costs for the processing of this request be waived on the grounds that the release of this information is in the public interest, as the public has the right to know whether their information is being treated in a responsible manner when applying for a passport online.

--
Regards,

Brendan Molloy
Councillor
Pirate Party Australia

-------------------------------------------------------------------

Please use this email address for all replies to this request:
[FOI #507 email]

Is [DFAT request email] the wrong address for Freedom of Information requests to Department of Foreign Affairs and Trade? If so, please contact us using this form:
https://www.righttoknow.org.au/help/cont...

Write your response as plain text. Only send PDF documents as a last resort. Government guidelines make it clear that PDF is not an acceptable format for you to use in the delivery of government information.
https://www.righttoknow.org.au/help/offi...

Disclaimer: This message and any reply that you make will be published on the internet. Our privacy and copyright policies:
https://www.righttoknow.org.au/help/offi...

If you find this service useful as an FOI officer, please ask your web manager to link to us from your organisation's FOI page.

-------------------------------------------------------------------

hide quoted sections

Judge, Lindy, Department of Foreign Affairs and Trade

1 Attachment

FOI REF: 1401-F736
File No: 14/1377

Dear Mr Molloy,

A preliminary examination of the documents relevant to your request has confirmed the Department needs to consult with a third party in relation to business information, pursuant to section 27 of the FOI ACT.

Please find attached formal notification of the required consultation. Please note that section 15(6) of the FOI Act provides that the statutory timeframe for providing an access decision is extended by another 30 days in order to undertake this consultation. The statutory timeframe will now expire on 14 March 2014.

Should you have any enquiries regarding this matter please don't hesitate to contact me.

Regards,

Lindy Judge
Executive Officer- FOI and Privacy Law Section
Department of Foreign Affairs and Trade
____________________________________________________________________

Corporate Legal Branch E | [DFAT request email]
Legal Division T | +61 2 6261 1701

I withdraw the request.

--
Regards,

Brendan Molloy
Councillor
Pirate Party Australia

FOI, Department of Foreign Affairs and Trade

Dear Mr Molloy,
Thank you for advising the Department of your decision to withdraw your FOI request for copies of the following documents:

a) Documents relating to security auditing policy used for determining the security of DFAT websites. This may for example include (but certainly are not limited to):
i) Documents pertaining to minimum standards for SSL/TLS certificates, and
ii) Documents pertaining to penetration testing that has been undertaken by the department to determine security standards have been met;
b) Reports from any security audits conducted on the www.passports.gov.au website in the last 5 years; and
c) Documents regarding changes made to the www.passports.gov.au website since January 2009.

Regards,

Lindy Judge
Executive Officer– FOI and Privacy Law Section
Department of Foreign Affairs and Trade
____________________________________________________________________

Corporate Legal Branch    E | [email address]
Legal  Division                  T | +61 2 6261 1701

-----Original Message-----
From: Brendan Molloy [mailto:[FOI #507 email]]
Sent: Tuesday, 11 February 2014 4:21 PM
To: Judge, Lindy
Subject: Re: Freedom of informatin request dated 14/01/2014 [SEC=UNCLASSIFIED]

I withdraw the request.

--
Regards,

Brendan Molloy
Councillor
Pirate Party Australia

-----Original Message-----

FOI REF: 1401-F736
File No: 14/1377

Dear Mr Molloy,

A preliminary examination of the documents relevant to your request has confirmed the Department needs to consult with a third party in relation to business information, pursuant to section 27 of the FOI ACT.

Please find attached formal notification of the required consultation. Please note that section 15(6) of the FOI Act provides that the statutory timeframe for providing an access decision is extended by another 30 days in order to undertake this consultation. The statutory timeframe will now expire on 14 March 2014.

Should you have any enquiries regarding this matter please don't hesitate to contact me.

Regards,

Lindy Judge
Executive Officer- FOI and Privacy Law Section Department of Foreign Affairs and Trade ____________________________________________________________________

Corporate Legal Branch E | [DFAT request email] Legal Division T | +61 2 6261 1701

-------------------------------------------------------------------
Please use this email address for all replies to this request:
[FOI #507 email]

Write your response as plain text. Only send PDF documents as a last resort. Government guidelines make it clear that PDF is not an acceptable format for you to use in the delivery of government information.
https://www.righttoknow.org.au/help/offi...

Disclaimer: This message and any reply that you make will be published on the internet. Our privacy and copyright policies:
https://www.righttoknow.org.au/help/offi...

If you find this service useful as an FOI officer, please ask your web manager to link to us from your organisation's FOI page.

-------------------------------------------------------------------

hide quoted sections

Peter Lawler left an annotation ()

As the person who 'discovered' the situation on the Passports website, I deeply appreciate what you've done here Brendan.
I understand your decision to not pursue the matter given the amount of money DFAT wants from you.
As such, I've contacted one of my parliamentary representatives, Senator Whish-Wilson, and asked him to pose (as near as possible) exactly the same questions to DFAT.

Peter Lawler,

2 Attachments

Hi!
Please find attached all emails between myself and Senator
Whish-Wilson's office following up Mr Molloy's request regarding
www.passports.gov.au[1]

For the purposes of transparency and record, I think it'd be great if
this could be added to the cited FOI request, particularly the PDF
attachment of answers. I will host the PDF file elsewhere however I
think it'd be 'best practice' to also hold these records on the RTK site.

Regards,

Peter Lawler.

[1] https://www.righttoknow.org.au/request/s...