Chief Information Officers Council Proposes HTTPS By Default For All Federal Government Websites
from the being-the-change-people-have-been-waiting-for dept
In a long-overdue nod to both privacy and security, the administration finally moved Whitehouse.gov to HTTPS on March 9th. This followed the FTC’s March 6th move to do the same. And yet, far too many government websites operate without the additional security this provides. But that’s about to change. According to a recent post by the US government’s Chief Information Officers Council, HTTPS will (hopefully) be the new default for federal websites.
The American people expect government websites to be secure and their interactions with those websites to be private. Hypertext Transfer Protocol Secure (HTTPS) offers the strongest privacy protection available for public web connections with today’s internet technology. The use of HTTPS reduces the risk of interception or modification of user interactions with government online services.
This proposed initiative, “The HTTPS-Only Standard,” would require the use of HTTPS on all publicly accessible Federal websites and web services.
In a statement that clashes with the NSA’s activities and the FBI’s push for pre-compromised encryption, the CIO asserts that when people engage with government websites, these interactions should be no one’s business but their own.
All browsing activity should be considered private and sensitive.
The proposed standard would eliminate agencies’ options, forcing them to move to HTTPS, both for their safety and the safety of their sites’ visitors. To be sure, many cats will still need to be shepherded if this goes into effect, but hopefully there won’t be too many details to trifle over. HTTPS or else is the CIO Council’s goal — something that shouldn’t be open to too much interpretation.
As the Council points out, failing to do so places both ends of the interaction at risk. If government sites are thought to be unsafe, it has the potential to harm citizens along with the government’s reputation.
Federal websites that do not use HTTPS will not keep pace with privacy and security practices used by commercial organizations, or with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and reduces their confidence in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. The proposed HTTPS-only standard will provide the public with a consistent, private browsing experience and position the Federal government as a leader in Internet security.
The CIO’s short, but informative, explanatory page lists the pros of this proposed move, as well as spells out what HTTPS doesn’t protect against. It also notes that while most sites should actually see a performance boost from switching to HTTPS, sites that gather elements for other parties will be the most difficult to migrate. And, it notes, the move won’t necessarily be inexpensive.
The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time. The development burden will vary substantially based on the size and technical infrastructure of a site. The proposed compliance timeline provides sufficient flexibility for project planning and resource alignment.
But, it assures us (at least as much as any government entity can…), the money will be well-spent.
The tangible benefits to the American public outweigh the cost to the taxpayer. Even a small number of unofficial or malicious websites claiming to be Federal services, or a small amount of eavesdropping on communication with official US government sites could result in substantial losses to citizens.
The CIO is also taking input from the public, at Github no less.
A very encouraging — if rather belated — sign that the government is still making an effort to take privacy and security seriously, rather than placing those two things on the scales for intelligence and law enforcement agencies to shift around as they see fit when weighing their desires against Americans’ rights and privileges.
Filed Under: encryption, federal government, ftc, https, ssl, tls, websites, white house
Comments on “Chief Information Officers Council Proposes HTTPS By Default For All Federal Government Websites”
Newsflash: Chief Information Security Theater Officer proposes that US government switch to pretending that it can’t eavesdrop on connections it’s agencies are a party to.
I don’t quite understand this push for HTTPS on all read-only public websites. Would using a non-encrypted connection really be any less private?
Or is the idea that with SSL a user can view a website without the possibility of having some hostile man-in-the-middle (such as a repressive government) performing packet-fu on the site’s contents so the end user will see an adulterated web page.
It seems like overkill. 20 years ago I used to complain that email providers, both POP and the then-emerging webmail, did not use any form of encryption. Even in 2000, they were very scarce. By 2005, even the few email providers that had SSL used non-SSL as the default login.
Considering that it took more than a whole decade just to see email logins finally get a minimum level of security (and still waiting for email itself to be secure) this drive to make all sites SSL just seems like much wasted effort on something that’s not very important.
Re: Re:
I’m not sure what you’re driving at. You seem to be conflating email and HTTP/S, and then saying that there’s no point doing this now because it took a long time for anyone to bother before. Why is any of that relevant?
“Or is the idea that with SSL a user can view a website without the possibility of having some hostile man-in-the-middle (such as a repressive government) performing packet-fu on the site’s contents so the end user will see an adulterated web page.”
That’s pretty much it, I think. There’s a non-zero chance that people will intercept communications, and government websites are theoretically meant to be the most trustworthy ones (though reality is of course rather different to non-laymen).
Online security has never been a more relevant issue, and it’s rather trivial for a competent admin to switch everything to HTTPS assuming there’s no weird design issues that prevent it. Why would they not do this?
Re: HTTPS vs IMAPS+gpg
E-mail encryption has not taken off in part because the deployment model is bad. To use encrypted e-mail, both sides need to agree to use it, and have a way to confirm the peer’s identity. Both sides need to use a compatible encryption scheme. Historically, popular commercial clients (i.e. Outlook) did not play nicely with Thunderbird+GPG, so trading secure e-mail across the proprietary/open divide was hard.
HTTPS support is standard in browsers. The identity problem is solved (poorly) by the use of Certificate Authorities. Thus, while deploying encrypted e-mail is still hard to do on a wide scale, deploying encrypted HTTP is easy unless the site has employed Web 2.0 developers specifically to screw up the site’s implementation (e.g. Javascript cross-includes from third-party http sites, which will get zapped by a properly configured Mixed Content Blocker).
Encryption has also risen in importance as people move to borrowing a connection from whatever wireless AP is in range, and rarely use any sort of device-level encryption to tunnel back to a believed-good host (e.g. rented VPS, home server, etc.). Ten years ago, the idea of just walking into a restaurant and finding a wireless AP waiting for you was uncommon. Today, people are surprised when they find themselves in an unserved area.
But will they continue to self-sign?
Currently most HTTPS Federal web sites use self-signed certificates, which causes browsers to label them as unsafe. I see no issues with the U.S. Government registering as a Certificate Authority (CA), but until they either do that or purchase certificates from registered CAs, this move will actually weaken consumer security by encouraging them to overrule what otherwise is a very sensible warning and limitation.
Re: But will they continue to self-sign?
The feds (or at least the DoD) already have their own CA (multiple CAs, actually) and their own web of trust set up. Therein lies the problem, though.
They already have their own CA network and web of trust set up as q cylinder of excellence (e.g. a stovepipe) that has little interconnection with the public web of trust set up with the public CA network. It would be straightforward to get the government CA network interconnected with the public CA network, but the bureaucracy stands in the way.
While it’s a great idea to finally implement HTTPS, I am afraid they are sadly mistaken if they believe this will restore the American people’s confidence in government.
We’ve learned how to spell NSA, FBI, and CIA. None of those are working for the security of the public internetwise.
Wait, Wait! About Face Due!
I can’t believe such an act for the benefit of the citizenry will be tolerated for long by Mr Obama.
Thus, an attaboy (or attagirl) awaits anyone who can correctly guess how long it will take before there is an about face, posted right here on Techdirt!
In other news...
It has just been announced that the now-former head of the US government’s Chief Information Officers Council is being investigated by the FBI for… ummm… something…
Th.Mo.Tr.Ad.In.Am.Hi.
“This proposed initiative, “The HTTPS-Only Standard,” would require the use of HTTPS on all publicly accessible Federal websites and web services.”
I assume this means that the NSA has now learned how to bypass the security offered by HTTPS.
If it was otherwise, The Most Transparent Administration In American History, would not allow such a move to go forward, even for public relations sake.
—