The White House has directed all federal government websites be “HTTPS-Only”, bringing public sector websites inline with demands from privacy advocates and the commercial sector.
All publicly facing federal government websites will need to provide secure HTTPS connections to their websites by December 31, 2016 under the “HTTPS-Only Standard” directive, issued by the White House Office of Management and Budget (OMB) on Monday.
A URL with a HTTPS header, indicated by a padlock in a web browser, signals communications between the browser and a web server are encrypted and has been verified by a third party as a genuine website.
Though HTTPS was initially adopted for web pages that obviously require secure access — such as a login page or a banking website — tech companies, such as Google and Mozilla, have been pushing for HTTPS to become a standard. Google made HTTPS a default for Gmail in 2010 and now uses it as a signal for ranking websites in search results, for example. Twitter, Facebook, Microsoft and others have also implemented HTTPS to a larger degree.
Arguments for encrypting communications on the web precede Edward Snowden’s leaks about government surveillance but efforts among commercial organisations to implement it have intensified since.
The first federal government websites to become HTTPS by default however were those that could leak sensitive information about its visitors, such asAIDS.gov, and visits to competition regulator the Federal Trade Commission, which accept submissions from whistleblowers
As the OMB memorandum notes, unencrypted HTTP protocol does not protect data from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data.
The directive aims to address the fact that most federal government websites still use HTTP, which could ultimately expose sensitive information about people who use those websites.
“An HTTPS-Only standard, however, will eliminate inconsistent, subjective decision-making regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide,” Tony Scott, United States chief information officer said.
"It is critical that federal websites maintain the highest privacy standards for the users of its online services. With this new action, we are driving faster internet-wide adoption of HTTPS and promoting better privacy standards for the entire browsing public."
The OMB order may also serve as a reminder to other nations’ public sector organisations that the web is moving away from HTTP. Google and " have announced plans to respectively deprecate HTTP in Chrome and Firefox, which account for about half of all web traffic.
18F, a tech-focussed unit in the General Services Administration, welcomed the directive. It was behind the HTTPS-by-default initiative for AIDS.gov and the FTC.
“As a provider of vital public services, the U.S. government has a responsibility to keep up with web standards and evolving best practices. As the birthplace of the Internet, the U.S. government has a special responsibility to support the Internet's long-term health and vitality. This new policy, and the leadership it demonstrates, will help the U.S. meet those responsibilities and help the Internet remain a safe place for its users around the world,” 18F said.
This article is brought to you by Enex TestLab, content directors for CSO Australia.