US CIO Orders All .Gov Websites To Require Encrypted Connections, Amazon Enters The Secure Cert Space

from the moving-forward dept

As top FBI officials are arguing that the tech industry needs to "prevent encryption," the federal government's CIO, Tony Scott, has officially announced that all federal government websites will only be available via encrypted HTTPS connections by the end of next year. As we noted, this was proposed back in March, but after an open comment period (via Github!), the policy is now official. The official memo talks about the importance of encryption:
The unencrypted HTTP protocol does not protect data from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data. The majority of Federal websites use HTTP as the as primary protocol to communicate over the public internet. Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services. Data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information.

To address these concerns, many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of Federal websites and services deserve the same protection. Private and secure connections are becoming the Internet's baseline, as expressed by the policies of the Internet's standards bodies, popular web browsers, and the Internet community of practice. The Federal government must adapt to this changing landscape, and benefits by beginning the conversion now. Proactive investment at the Federal level will support faster internet-wide adoption and promote better privacy standards for the entire browsing public.
And the memo doesn't mince words about websites that choose not to go to HTTPS-only:
Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and may reduce their confidence in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position the Federal Government as a leader in Internet security.
It's good to see the federal government embracing this. The plan is to have all federal government websites fully HTTPS by the end of 2016.

Separately, another big step in the world of HTTPS happened quietly on Monday as well: Amazon started offering secure certificates as well, and it appears that they're looking to make it much easier and convenient. Oh, and it is not just for customers registering their domains through Amazon either.

It's good to see the internet world moving more and more to a place where all connections will be encrypted.

Filed Under: certificates, cio, encryption, federal government, https, websites
Companies: amazon


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 9 Jun 2015 @ 8:39pm

    Refreshing honesty

    Well, guess it's official then, even the government is admitting that it's run by terrorists and/or criminals, since clearly those are the only two groups that would use encryption, as the government itself constantly insists.

    Sure they may claim it's for security reasons, but given the government constantly brushes aside any similar claims when used by the public, clearly 'security' is not a valid justification, and it can only be criminal intent behind their push for widespread encryption.

    reply to this | link to this | view in chronology ]

    • identicon
      Pixelation, 9 Jun 2015 @ 9:51pm

      Re: Refreshing honesty

      "Well, guess it's official then, even the government is admitting that it's run by terrorists and/or criminals, since clearly those are the only two groups that would use encryption, as the government itself constantly insists. "

      Or...They've found their way around encryption and are now happy to endorse it.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jun 2015 @ 11:00pm

    Keep in mind...

    From the government's point of view,

    "this isn't encryption, it's only HTTPS".

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jun 2015 @ 12:27am

    one rule for them, a different rule for us!

    reply to this | link to this | view in chronology ]

  • identicon
    Kronomex, 10 Jun 2015 @ 2:01am

    Ye olde, "Do as I say not as I do." What a bunch of bloody hypocrites!

    reply to this | link to this | view in chronology ]

  • icon
    Violynne (profile), 10 Jun 2015 @ 3:08am

    What's missing from the statement:

    "Once we empower Americans to believe our sites are secured with https, we'll quietly enable the golden keys so which we can easily see their traffic."

    There's no way in hell the US Government provides encryption to Americans without a way to break it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Jun 2015 @ 5:06am

      Re:

      They already have the key to those https connections.

      reply to this | link to this | view in chronology ]

      • icon
        sigalrm (profile), 10 Jun 2015 @ 12:20pm

        Re: Re:

        Yes, but do they have a root certificate openly tied to the US Government pre-installed in every major browser and operating system? https://www.irs.gov's ssl cert is issued by Akamai and fails to validate due to a hostname mismatch. https://www.whitehouse.gov is signed by Verizon/Akamai. https://www.cia.gov is signed by Symantec.

        The US Government is big, and if they're going to successfully implement this mandate, they're going to need their own public root certificate authority to cost effectively sign all those new SSL Keys, and for the sake of simplicity, that root CA cert will need to be installed everywhere by default. Otherwise Grandpa is going to get a browser cert error when he goes to www.irs.gov, and we can't have that.

        Of course, once a root is installed, it can be used to sign certs for any web site.

        reply to this | link to this | view in chronology ]

    • icon
      Dan (profile), 10 Jun 2015 @ 5:48am

      Re:

      Why would they need to break traffic to their own websites? Of course the government can read it--it's a government website!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jun 2015 @ 3:42am

    Wait a minute. While the government is busy telling everyone to stop using encryption because it will hamper their own efforts to gather information on everyone it wants to spy on it's now switching to encrypted data for government business?

    Talk about a bunch of hypocrites.

    reply to this | link to this | view in chronology ]

  • icon
    TheResidentSkeptic (profile), 10 Jun 2015 @ 4:33am

    I'm not so sure...

    "Since we couldn't convince you to give us magical keys to the back door, why don't you just come in by our secure front door ... trust us, we have YOUR security in mind..."

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Anonymous Coward, 10 Jun 2015 @ 6:13am

    More Encryptio

    I wonder when or if they will also order the backend servers encrypted as well. Certainly all data stored (especially the password files, SSN numbers, home addresses, phone numbers, any other personally identifiable information).

    Not sure if everything needs encrypting, some expert will tell me shortly.

    Once this is accomplished, maybe we could convince all the payment services or other holders of personal information to do the same.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 10 Jun 2015 @ 10:27am

      Re: More Encryptio

      "Not sure if everything needs encrypting, some expert will tell me shortly."

      It depends on the amount of security you want. Before anyone answers "all of it", it must be acknowledged that increased security doesn't come for free. It is paid for in terms of reduced convenience. So, "all of it" is not necessarily the right answer. It all depends.

      That said, it's much better to encrypt more than is needed than to encrypt less.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Anonymous Coward, 10 Jun 2015 @ 12:03pm

        Re: Re: More Encryptio

        So we will continue to be subject to the formula where the cost of PR to overcome gross embarrassment from leaked data must be greater than the cost of the encryption/decryption process, which is rarely calculated in a proactive manner.

        Of course that also means that cost of the encryption/decryption process plus good PR from being proactive must be less than the quarterly profits sent to Wall Street unless the corporation (AKA person) actually has a conscience.

        Either way, us poor suckers that have our data in non encrypted form on some companies (or government's) servers are potentially screwed until some legislative body (congress) pushes the right buttons.

        reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 11 Jun 2015 @ 7:45am

          Re: Re: Re: More Encryptio

          I wasn't talking about the cost of PR. Companies that determine the correct amount of security based on a PR cost/benefit analysis are companies that should be avoided no matter how much security that ends up being. Of course, it's not always clear when they're doing this.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Anonymous Coward, 11 Jun 2015 @ 8:42am

            Re: Re: Re: Re: More Encryptio

            Sorry if I made it sound like you were. I was referring to excuses likely made by companies that don't encrypt when they should. I have always had a funny feeling about that line in Balance Sheets called 'Goodwill'.

            reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jun 2015 @ 6:15am

    Day late, dollar short. If this is a democracy I will have no part in it. The US government is more interested in spying on their citizens, the people who pay the bills, than in securing electronic communications. Stupid is as stupid does.

    reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 10 Jun 2015 @ 6:57am

    Hmm... what about the NSA's website? :P

    reply to this | link to this | view in chronology ]

  • icon
    connermac725 (profile), 10 Jun 2015 @ 8:01am

    encryption

    so are they pedophiles or terrorist?
    the two things all of the talking heads call people who use encryption

    reply to this | link to this | view in chronology ]

  • icon
    ChurchHatesTucker (profile), 10 Jun 2015 @ 8:19am

    Heh

    Presumably this applies to fbi.gov?

    reply to this | link to this | view in chronology ]

  • icon
    jlaprise (profile), 10 Jun 2015 @ 8:23am

    This has been the government's default solution since the dawn of the Information Security Era beginning with the Ford Administration's reaction to Soviet interception of microwave communication.

    reply to this | link to this | view in chronology ]

  • icon
    bobmorning (profile), 10 Jun 2015 @ 8:34am

    And the feds will screw this up

    I can just see the proliferation of self signed certs which will provide NO assurance that the communication channel is truly secure. The government is notorious for using self signed certs internally why would we expect the externally facing sites to do anything different?

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 10 Jun 2015 @ 8:36am

      Re: And the feds will screw this up

      There is nothing wrong with self-signed certs, as long as there is a way to get them that is trustworthy. In fact, self-signed certs are more trustworthy than ones signed by a CA because you're not taking someone else's word for whether or not the cert is trustworthy.

      reply to this | link to this | view in chronology ]

  • icon
    Violated (profile), 10 Jun 2015 @ 9:40am

    Amazon

    I will add that Amazon sure need to make their popular shopping website HTTPS encrypted to give their users the fully secure shopping experience.

    They seem to be making some progress but as can be seen here they have yet to get the right certificates installed... https://ecx.images-amazon.com/images/I/917G5gsQjgL._SL1500_.jpg

    Other secure sites would also like to link to them but cannot link to insecure site.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jun 2015 @ 6:15pm

    Wasn't encryption evil according to the FBI?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.