White House Tightens Security for Web Access

June 9, 2015
No Comment

On Monday, 8 June 2015, Tony Scott, Chief Information Officer for President Obama, issued a memorandum that requires all federal websites and services to switch to HTTPS, a more secure method of connection than plain HTTP, by December 31, 2016.  This change means all traffic is treated as sensitive, rather than leaving it up to web designers to make a determination as to data content, and closes some of the doors used by hackers to gain passwords, identity, search terms, and other user-submitted data.

The General Services Administration’s (GSA) tech development team, 18F, posted a blog about the change.  The last paragraph of the post reads:

As a provider of vital public services, the U.S. government has a responsibility to keep up with web standards and evolving best practices. As the birthplace of the Internet, the U.S. government has a special responsibility to support the Internet’s long-term health and vitality. This new policy, and the leadership it demonstrates, will help the U.S. meet those responsibilities and help the Internet remain a safe place for its users around the world.

It is generally thought that, in addition to improving overall security, the move to HTTPS will also improve privacy, as it becomes much more difficult to determine the identity of someone browsing to a particular web site.

There are some challenges involved in this move, including increased cost and technical hurdles.  Because HTTPS requires the purchase of an SSL certificate from a signing authority, such as GlobalSign, Symantec, or Comodo, and because some program changes are needed, budget has to be found to cover the additional cost.  Managing these digital certificates is another factor; root certificates for some government agencies are not accepted by most browsers, and someone has to manage the lifecycle of these certs to ensure they get renewed before they expire.

For sure, this is not a security silver bullet.  While HTTPS does secure the connection between two systems, it doesn’t protect a web server or database from being attacked, and would not stop a breach like the recent OPM data breach, in which records for 4 million government employees and contractors, including background checks and personally identifiable information, was exposed.  It’s just one of many steps needed to improve overall Internet security.

The post White House Tightens Security for Web Access appeared first on