All US .gov websites ordered to be HTTPS-only by the end of next year

All US .gov websites ordered to be HTTPS-only by the end of next year

Law enforcement agencies may have been pushing recently for tech firms to “prevent encryption”, but it seems that technically-minded folks inside the US federal government are big fans of it.

Tony Scott, the US government’s CIO, has officially announced that all .gov websites must be only available via encrypted HTTPS connections by the end of 2016.

To address these concerns, many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of Federal websites and services deserve the same protection. Private and secure connections are becoming the Internet’s baseline, as expressed by the policies of the Internet’s standards bodies, popular web browsers, and the Internet community of practice. The Federal government must adapt to this changing landscape, and benefits by beginning the conversion now. Proactive investment at the Federal level will support faster internet-wide adoption and promote better privacy standards for the entire browsing public.

All browsing activity should be considered private and sensitive.

An HTTPS-Only standard will eliminate inconsistent, subjective determinations across agencies regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide.

Did you see the bit Scott put in bold? “All browsing activity should be considered private and sensitive.”

That’s a position that will put the US government’s CIO in some conflict with the likes of the FBI, who feel challenged that modern encryption technology is hindering their ability for covert surveillance.

Sign up to our free newsletter.
Security news, advice, and tips.

But when you consider the type of information that American citizens are sharing with government websites – their names, addresses, financial information, social security numbers and so forth it would clearly be grossly negligent not to defend it from malicious hackers.

Recent hacking attacks against government agencies such as the IRS and Office of Personnel Management (OPM), for instance, have put the personal details of millions of people at risk, underlining the importance of following security best practices.

After all, users can choose which companies they decide to do business with, and which retailers they purchase from, but none of us have any choice about having to communicate with our governments from time to time. And if they do a sloppy job of protecting data as it is sent from a laptop to a server, then there is increasingly a risk that hackers will attempt to exploit the weakness.

Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and may reduce their confidence in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position the Federal Government as a leader in Internet security.

Although some might claim it’s about time for the US government to embrace HTTPS, and many of us would like to see a more aggressive timescale for deployment, it’s great to see such a clear commitment made to protecting users who access these sites.

Scott is right – HTTPS is steadily becoming a standard for the web. Even for sites which don’t *need* encryption.

Google is one company that is doing its bit to encourage further adoption of HTTPS. Last year it called for “HTTPS everywhere”, urging websites to adopt HTTPS to better protect the security and privacy of users’ data.

Google has also announced that it using HTTPS will help sites boost their ranking in search results – something which is likely to light a fire under the bottoms of many marketing folks who appreciate the importance of being visible on Google.

Even if your company’s management team don’t give two hoots about offering your website visitors the protection of HTTPS, please convince them that it should be done if only to boost your firm’s Google ranking.

After all, for the future of the internet, the best thing we can hope for is a time when all communications are encrypted… and where any site which doesn’t offer HTTPS is frowned upon.

This article originally appeared on the Optimal Security blog.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.