from the being-the-change-people-have-been-waiting-for dept
The American people expect government websites to be secure and their interactions with those websites to be private. Hypertext Transfer Protocol Secure (HTTPS) offers the strongest privacy protection available for public web connections with today’s internet technology. The use of HTTPS reduces the risk of interception or modification of user interactions with government online services.In a statement that clashes with the NSA's activities and the FBI's push for pre-compromised encryption, the CIO asserts that when people engage with government websites, these interactions should be no one's business but their own.
This proposed initiative, “The HTTPS-Only Standard,” would require the use of HTTPS on all publicly accessible Federal websites and web services.
All browsing activity should be considered private and sensitive.The proposed standard would eliminate agencies' options, forcing them to move to HTTPS, both for their safety and the safety of their sites' visitors. To be sure, many cats will still need to be shepherded if this goes into effect, but hopefully there won't be too many details to trifle over. HTTPS or else is the CIO Council's goal -- something that shouldn't be open to too much interpretation.
As the Council points out, failing to do so places both ends of the interaction at risk. If government sites are thought to be unsafe, it has the potential to harm citizens along with the government's reputation.
Federal websites that do not use HTTPS will not keep pace with privacy and security practices used by commercial organizations, or with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and reduces their confidence in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. The proposed HTTPS-only standard will provide the public with a consistent, private browsing experience and position the Federal government as a leader in Internet security.The CIO's short, but informative, explanatory page lists the pros of this proposed move, as well as spells out what HTTPS doesn't protect against. It also notes that while most sites should actually see a performance boost from switching to HTTPS, sites that gather elements for other parties will be the most difficult to migrate. And, it notes, the move won't necessarily be inexpensive.
The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time. The development burden will vary substantially based on the size and technical infrastructure of a site. The proposed compliance timeline provides sufficient flexibility for project planning and resource alignment.But, it assures us (at least as much as any government entity can...), the money will be well-spent.
The tangible benefits to the American public outweigh the cost to the taxpayer. Even a small number of unofficial or malicious websites claiming to be Federal services, or a small amount of eavesdropping on communication with official US government sites could result in substantial losses to citizens.The CIO is also taking input from the public, at Github no less.
A very encouraging -- if rather belated -- sign that the government is still making an effort to take privacy and security seriously, rather than placing those two things on the scales for intelligence and law enforcement agencies to shift around as they see fit when weighing their desires against Americans' rights and privileges.