Federal Agencies Mirror Commercial Websites for Encryption
Mar 15, 2017 1:47 PM PT
Private and public sector organizations share a common goal in hosting Internet websites: making sure that connections with customers and citizens are secure. However, complete security is not yet universal in either sector.
Google and Mozilla, for example, are among many entities promoting Internet security via the adoption of Hyper Text Transfer Protocol Secure technology, or HTTPS, versus the basic and less secure HTTP technology that underpins Internet service.
Within the public sector, the federal chief information officer and the General Services Administration are promoting HTTPS as well. GSA recently notified federal agencies that it had developed a program designed to ensure that all new federal websites would be provided connection security automatically through the use of HTTPS encryption capabilities. The program will be launched sometime this spring, GSA said.
"This year, GSA will be taking another significant step forward in making secure communication the default for federal Web services by automatically enforcing HTTPS in modern Web browsers for newly issued executive branch 'dot-gov' (.gov) domains and their subdomains," GSA said in a notice published earlier this year.
GSA has supported HTTPS adoption actively, especially in regard to a 2015 White House directive requiring that all new federal Web services support and enforce HTTPS connections over the public Internet, and that federal agencies migrate existing Web services to HTTPS by the end of last year.
New Federal Website Encryption
In terms of creating new federal websites, as executive branch domains become registered, the dot-gov program will submit them to Web browsers for preloading, GSA said.
After submission, it could take up to three months before preloading takes effect in modern Web browsers. Once preloading is in effect, browsers will enforce HTTPS strictly for the domains and their subdomains. Users will not be able to click through certificate warnings. Any Web services on the domains will need to be accessible over HTTPS in order to be used by modern Web browsers, GSA noted.
For example, if an agency were to register a dot-gov site in May, GSA would communicate to Web browsers that the new site should be enforced as HTTPS-only. Within a few months of that time, any attempt by a user to visit the newly created HTTP site would cause their browser to redirect automatically to an HTTPS designated domain. The agency that registered the new dot-gov site would have to, on its own, configure HTTPS support so that users could navigate to the website successfully.
GSA expects the security adoption process to go fairly smoothly.
"HTTPS is a standard protocol used for an increasingly large class of Web services. Certificates can be obtained inexpensively or for free," GSA said in a statement provided to the E-Commerce Times by spokesperson Cat Langel.
Federal Web Contractors Need Not Worry
While some agencies have contracts with private sector providers for Web services, the HTTPS process should not result in a significant burden to contractors or the agencies they support, according to GSA.
It will continue to be the responsibility of an agency to obtain and deploy certificates, and to correctly configure HTTPS support for websites at those domains. If an agency website under a newly issued domain does not support HTTPS, users will be unable to visit the agency website using a modern Web browser.
GSA's program for providing automatic HTTPS technology for new federal websites, as well as the government's comprehensive plan to protect all federal websites eventually, has drawn approval from the e-commerce community.
"We are supportive of efforts by the federal government to proactively protect the privacy and security of Internet users when they use government websites. By making what used to be a laborious process into a turnkey one, GSA is doing the right thing," said Nat Meysenburg, staff technologist at New America's Open Technology Institute.
It is "making secure websites a standard practice for departments across government," he said.
"This move to blanket HTTPS by the government is yet another affirmation of the importance of encrypted websites, and will hopefully encourage even more companies to implement secure websites. As our recent work on HTTPS adoption shows, encrypted websites are quickly becoming standard operating procedure," Meysenburg told the E-Commerce Times.
"Google has long sought to provide secure Web communications with HTTPS, and is committed to offering HTTPS for increasingly more of its services," said Parisa Tabriz, a security expert at Google, in comments submitted to the Office of Management and Budget when OMB launched its program in 2015.
"In this vein, Google strongly supports the White House's proposed 'HTTPS-Only Standard' to provide people throughout the United States and the world -- exclusively secure access to U.S. Government services," she continued.
"When interacting with the government, whether for taxes, immigration, Social Security, voter registration, healthcare, or any other public service, people have a critical need for the information they send and receive to be confidential and untampered," Tabriz remarked. "HTTPS is the minimum requirement for achieving this, and Google is pleased to see the White House recognizes this need."
Federal Effort Tops Private Sector
HTTPS-enabled websites provide two major security elements over non-HTTPS sites, according to the Open Technology Institute. Encryption, the first feature, ensures that the content of a particular Web request or transaction remains, and cannot be accessed by anyone except the user and the relevant website.
"Even if the communication is intercepted by a third party, it will appear to be nothing but a jumble of random text," notes OTI's response to the federal HTTPS proposal.
Secondly, HTTPS "authentication verifies that a website is actually associated with the person or organization it claims to represent, rather than by an impostor who set up the site to trick users into divulging personal information, known as a phishing attack," OTI points out.
While federal agencies failed to meet the target of complete HTTPS conversion by the end of 2016, GSA's survey of federal compliance revealed significant progress toward that goal. The survey was conducted between mid-2015 and the end of 2016. GSA reached the following conclusions:
- The White House policy generated significant HTTPS adoption in the U.S. government, to the point that the government now outpaces the private sector on use of HTTPS.
- HTTPS has gone from a clear minority to a clear majority of support across executive branch dot-gov domains since the release of the policy.
- Web traffic data suggests that HTTPS is now used for most Web requests to executive branch dot-gov Web services.
The survey targeted main dot-gov sites as well as some subdomains of the parent sites -- a total of 27,000 sites. However, the survey excluded Defense Department sites designed under the 'dot-mil' protocol.
The GSA report's list of federal dot-gov sites may not be comprehensive, it cautions. At the end of 2016, 73 percent of executive branch dot-gov sites supported HTTPS versus about 32 percent in mid-2015.
Also, 61 percent of sites enforced HTTPS at year-end 2016 versus 15 percent at the start of the survey period. GSA referenced an October 2016 industry report on 1 million sites in comparing federal HTTPS progress versus the private sector.