• Federal Government Leading the Way in Internet Security With HTTPS Mandate

    Federal Government Leading the Way in Internet Security With HTTPS Mandate

    Most internet users tend to have at least a basic expectation of security for the websites they visit. This is especially the case when visiting certain kinds of websites, like banking institutions, e-commerce stores, or government websites. The best practice for web security, HTTPS, has long been the choice for all websites involving a financial transaction. Websites for the US government, though, remained using the less secure HTTP. At the end of 2016, this officially changed with a mandate for all government sites and servers to use the more secure, encrypted browser protocol.

    This change matters for users, but it’s perhaps particularly important as a measure of protection for the government itself. Recent government hacking has made the need more pressing than ever. The mandate came in June 2015 from the White House Office of Management and Budget. The HTTPS-Only Standard directive laid out that the requirement needed to be in place for all federal websites and web services by the end of 2016.

    At this point, the governmental shift to HTTPS only applies to the federal .gov domains, but many are hoping it will set an example that will trickle down to state and local governments as well. It also remains to be seen if the judicial and legislative branches will adopt the policy espoused by the executive branch. Why the government didn’t make this shift sooner is likely just because such a massive shift can be a bit of a headache. There’s always some resistance to change, and enacting a major technical change is always difficult. That said, the importance of security for governmental purposes cannot be understated, so the change was long overdue.

    HTTPS functions just like HTTP, in that it is the piece that connects your browser and the server a website is hosted on. With HTTPS, everything is encrypted. This means that nothing can be intercepted from either end. This means a user can trust that nothing they type or do on a website can be tracked. You can also trust that the website content is from who it claims to be from. HTTP Strict Transport Security (HSTS) will also be enforced, something that ensures your browser stays connected via HTTPS and can’t be redirected to an imposter site.

    An important thing to note for the governmental shift to HTTPS is that it doesn’t just apply to websites. All web services are included, so email and intranets will also be secure and protected. While HTTPS doesn’t make hacking impossible, it at least secures much of the transfer of information and thus makes hacking more difficult.

    In the official statement from United States Chief Information Officer Tony Scott, the concluding thought was the hope that the governmental policy change would reach far beyond the federal government by “driving faster internet-wide adoption of HTTPS and promoting better privacy standards for the entire browsing public.” As one of the pillars of internet security, HTTPS is certainly the right direction for the web to be going in.