Chief Information Officers Council Proposes HTTPS By Default For All Federal Government Websites

from the being-the-change-people-have-been-waiting-for dept

In a long-overdue nod to both privacy and security, the administration finally moved to HTTPS on March 9th. This followed the FTC’s March 6th move to do the same. And yet, far too many government websites operate without the additional security this provides. But that’s about to change. According to a recent post by the US government’s Chief Information Officers Council, HTTPS will (hopefully) be the new default for federal websites.

The American people expect government websites to be secure and their interactions with those websites to be private. Hypertext Transfer Protocol Secure (HTTPS) offers the strongest privacy protection available for public web connections with today’s internet technology. The use of HTTPS reduces the risk of interception or modification of user interactions with government online services.

This proposed initiative, “The HTTPS-Only Standard,” would require the use of HTTPS on all publicly accessible Federal websites and web services.

In a statement that clashes with the NSA’s activities and the FBI’s push for pre-compromised encryption, the CIO asserts that when people engage with government websites, these interactions should be no one’s business but their own.

All browsing activity should be considered private and sensitive.

The proposed standard would eliminate agencies’ options, forcing them to move to HTTPS, both for their safety and the safety of their sites’ visitors. To be sure, many cats will still need to be shepherded if this goes into effect, but hopefully there won’t be too many details to trifle over. HTTPS or else is the CIO Council’s goal — something that shouldn’t be open to too much interpretation.

As the Council points out, failing to do so places both ends of the interaction at risk. If government sites are thought to be unsafe, it has the potential to harm citizens along with the government’s reputation.

Federal websites that do not use HTTPS will not keep pace with privacy and security practices used by commercial organizations, or with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and reduces their confidence in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. The proposed HTTPS-only standard will provide the public with a consistent, private browsing experience and position the Federal government as a leader in Internet security.

The CIO’s short, but informative, explanatory page lists the pros of this proposed move, as well as spells out what HTTPS doesn’t protect against. It also notes that while most sites should actually see a performance boost from switching to HTTPS, sites that gather elements for other parties will be the most difficult to migrate. And, it notes, the move won’t necessarily be inexpensive.

The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time. The development burden will vary substantially based on the size and technical infrastructure of a site. The proposed compliance timeline provides sufficient flexibility for project planning and resource alignment.

But, it assures us (at least as much as any government entity can…), the money will be well-spent.

The tangible benefits to the American public outweigh the cost to the taxpayer. Even a small number of unofficial or malicious websites claiming to be Federal services, or a small amount of eavesdropping on communication with official US government sites could result in substantial losses to citizens.

The CIO is also taking input from the public, at Github no less.

A very encouraging — if rather belated — sign that the government is still making an effort to take privacy and security seriously, rather than placing those two things on the scales for intelligence and law enforcement agencies to shift around as they see fit when weighing their desires against Americans’ rights and privileges.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Chief Information Officers Council Proposes HTTPS By Default For All Federal Government Websites”

Subscribe: RSS Leave a comment
Anonymous Coward says:

I don’t quite understand this push for HTTPS on all read-only public websites. Would using a non-encrypted connection really be any less private?

Or is the idea that with SSL a user can view a website without the possibility of having some hostile man-in-the-middle (such as a repressive government) performing packet-fu on the site’s contents so the end user will see an adulterated web page.

It seems like overkill. 20 years ago I used to complain that email providers, both POP and the then-emerging webmail, did not use any form of encryption. Even in 2000, they were very scarce. By 2005, even the few email providers that had SSL used non-SSL as the default login.

Considering that it took more than a whole decade just to see email logins finally get a minimum level of security (and still waiting for email itself to be secure) this drive to make all sites SSL just seems like much wasted effort on something that’s not very important.

PaulT (profile) says:

Re: Re:

I’m not sure what you’re driving at. You seem to be conflating email and HTTP/S, and then saying that there’s no point doing this now because it took a long time for anyone to bother before. Why is any of that relevant?

“Or is the idea that with SSL a user can view a website without the possibility of having some hostile man-in-the-middle (such as a repressive government) performing packet-fu on the site’s contents so the end user will see an adulterated web page.”

That’s pretty much it, I think. There’s a non-zero chance that people will intercept communications, and government websites are theoretically meant to be the most trustworthy ones (though reality is of course rather different to non-laymen).

Online security has never been a more relevant issue, and it’s rather trivial for a competent admin to switch everything to HTTPS assuming there’s no weird design issues that prevent it. Why would they not do this?

Anonymous Coward says:

Re: HTTPS vs IMAPS+gpg

E-mail encryption has not taken off in part because the deployment model is bad. To use encrypted e-mail, both sides need to agree to use it, and have a way to confirm the peer’s identity. Both sides need to use a compatible encryption scheme. Historically, popular commercial clients (i.e. Outlook) did not play nicely with Thunderbird+GPG, so trading secure e-mail across the proprietary/open divide was hard.

HTTPS support is standard in browsers. The identity problem is solved (poorly) by the use of Certificate Authorities. Thus, while deploying encrypted e-mail is still hard to do on a wide scale, deploying encrypted HTTP is easy unless the site has employed Web 2.0 developers specifically to screw up the site’s implementation (e.g. Javascript cross-includes from third-party http sites, which will get zapped by a properly configured Mixed Content Blocker).

Encryption has also risen in importance as people move to borrowing a connection from whatever wireless AP is in range, and rarely use any sort of device-level encryption to tunnel back to a believed-good host (e.g. rented VPS, home server, etc.). Ten years ago, the idea of just walking into a restaurant and finding a wireless AP waiting for you was uncommon. Today, people are surprised when they find themselves in an unserved area.

Ray Trygstad (profile) says:

But will they continue to self-sign?

Currently most HTTPS Federal web sites use self-signed certificates, which causes browsers to label them as unsafe. I see no issues with the U.S. Government registering as a Certificate Authority (CA), but until they either do that or purchase certificates from registered CAs, this move will actually weaken consumer security by encouraging them to overrule what otherwise is a very sensible warning and limitation.

mister anderson (profile) says:

Re: But will they continue to self-sign?

The feds (or at least the DoD) already have their own CA (multiple CAs, actually) and their own web of trust set up. Therein lies the problem, though.

They already have their own CA network and web of trust set up as q cylinder of excellence (e.g. a stovepipe) that has little interconnection with the public web of trust set up with the public CA network. It would be straightforward to get the government CA network interconnected with the public CA network, but the bureaucracy stands in the way.

GEMont (profile) says:


“This proposed initiative, “The HTTPS-Only Standard,” would require the use of HTTPS on all publicly accessible Federal websites and web services.”

I assume this means that the NSA has now learned how to bypass the security offered by HTTPS.

If it was otherwise, The Most Transparent Administration In American History, would not allow such a move to go forward, even for public relations sake.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...