Following the lead of many major Web services, the White House on Monday announced that it would move all of the federal government’s public sites and services to HTTPS-only.
Tony Scott, the federal CIO, has issued a memorandum to all federal agencies and departments instructing them to move all of their publicly accessible Web sites and services to HTTPS-only by the end of 2016. The change is a significant one for an organization as large and with as broad a reach as the United States federal government. Federal agencies consume massive amounts of user data every day, and moving to only HTTPS connections will ensure that data is safe during transport.
“An HTTPS-Only standard will eliminate inconsistent, subjective determinations across agencies regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide,” Scott’s memo says.
“Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and may reduce their confidence· in their government. Although some Federal websites currently useHTTPS, there has not been a consistent policy in this area. An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position the Federal Government as a leader in Internet security.”
In addition to moving all of these sites and services t HTTPS, Scott is directing federal agencies to enable HSTS (HTTP Strict Transport Security), a standard that informs browsers to assume going forward that connections with a given site should be over HTTPS. This can help protect against downgrade attacks that try to switch users to cleartext HTTP.
Scott said in his memo that the change to secure Web connections will give consumers better confidence in the integrity of their communications with federal agencies.
“Unencrypted HTTP connections create a vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services. This data can include browser identity, website content, search terms, and other user-submitted information. To address these concerns, many commercial organizations have already adopted HTTPS-only policies to protect visitors to their websites and services. Today’s action will deliver that same protection to users of Federal websites and services,’ Scott said.