On Monday, 8 June 2015, Tony Scott, Chief Information Officer for President Obama, issued a memorandum that requires all federal websites and services to switch to HTTPS, a more secure method of connection than plain HTTP, by December 31, 2016. This change means all traffic is treated as sensitive, rather than leaving it up to web designers to make a determination as to data content, and closes some of the doors used by hackers to gain passwords, identity, search terms, and other user-submitted data.
As a provider of vital public services, the U.S. government has a responsibility to keep up with web standards and evolving best practices. As the birthplace of the Internet, the U.S. government has a special responsibility to support the Internet’s long-term health and vitality. This new policy, and the leadership it demonstrates, will help the U.S. meet those responsibilities and help the Internet remain a safe place for its users around the world.
It is generally thought that, in addition to improving overall security, the move to HTTPS will also improve privacy, as it becomes much more difficult to determine the identity of someone browsing to a particular web site.
There are some challenges involved in this move, including increased cost and technical hurdles. Because HTTPS requires the purchase of an SSL certificate from a signing authority, such as GlobalSign, Symantec, or Comodo, and because some program changes are needed, budget has to be found to cover the additional cost. Managing these digital certificates is another factor; root certificates for some government agencies are not accepted by most browsers, and someone has to manage the lifecycle of these certs to ensure they get renewed before they expire.
For sure, this is not a security silver bullet. While HTTPS does secure the connection between two systems, it doesn’t protect a web server or database from being attacked, and would not stop a breach like the recent OPM data breach, in which records for 4 million government employees and contractors, including background checks and personally identifiable information, was exposed. It’s just one of many steps needed to improve overall Internet security.
- U.S. government embraces HTTPS (betanews.com)
- White House Mandates ‘HTTPS Everywhere’ For Federal Websites (huffingtonpost.com)
- Security an important feature of cloud communications apps (shoretelsky.com)
- There Is Now a Deadline for All US Government Websites to Turn on Encryption (motherboard.vice.com)
- It’s time to set HTTPS as the default on every site (levels.io)