U.S. CIO Wants to Secure all Federal .gov Websites with SSL
In an effort to secure websites, the Obama administration has proposed that as many federal websites as possible start using SSL. While using HTTPS is going to cost taxpayers more money, according to the White House Office of Management and Budget, “the tangible benefits to the American public outweigh the cost to the taxpayer.”
What is the Proposed Initiative?
The proposed “The HTTPS-Only Standard” initiative issued by the CIO Council would require the use of HTTPS on all publicly accessible Federal websites and web services, which is something SSL.com has been recommending for some time now. On the official website, they wrote:
This proposed initiative, “The HTTPS-Only Standard,” would require the use of HTTPS on all publicly accessible Federal websites and web services. We encourage your feedback and suggestions.
Why Are They Doing Something Now?
An increase in cyber attacks recently has served to wake up the U.S. government as to the urgent need for information security in the United States. From the recent Sony hack to the many others that have occurred to those that may lie in wait for us in the future, the government realizes the time to act is now. This is one small step in the right direction.
— U.S. Digital Service (@USDS) March 17, 2015
Will it Actually Work to Make Citizens Safer?
While using HTTPS to secure data going to and from a website is not a foolproof way to protect a web server connected to the internet, it’s a very nice step in the right direction. To actually work well, all government agencies will need to make the switch to SSL as soon as possible. As is true most of the time, it’s better to do something rather than wait and do nothing.
Challenges and Considerations
First, note that the CIO Council is more of a talking shop than a rule-making body (it’s a council made up of the CIOs of various executive branch organs like the Environmental Protection Agency and the Department of State) and as such can only recommend rather than dictate policy.
Second, the government isn’t rushing into this blindly. They seem to understand that various challenges will be presented as they try to adopt the new cyber security rules. Here’s a look at some of the considerations they know they’re going to have to make.
- Site Performance – Once again agreeing with SSL.com, the proposal states that site performance when using the HTTPS protocol will not be hampered by using the HTTPS protocol. This is something we’ve been saying for years.
- Server Name Indication – They also not that the Server Name Indication extension for TLS allows for IP addresses to be used more efficiently, which is a good thing for any government to think about.
- API Services – Thinking ahead, they realize that non-browser connections will also need to be secured, but that it will take a more gradual and hands-on migration strategy to implement correctly.
- Strict Transport Security – As you should know by now, HTTP Strict Transport Security (HSTS) should be enabled. According to the proposal, “Once HSTS is in place, domains can be submitted to a ‘preload list‘ used by all major browsers to ensure the HSTS policy is in effect at all times.”
- Domain Name System Security (DNSSEC) – Back in 2008, M-08-23,“Securing the Federal Government’s Domain Name System Infrastructure,” was issued. The new HTTPS-Only Standard does not interfere with that at all.
Clearly, they’re going to have to deal with the same issues as everyone else who decides to start using SSL/TLS to encrypt data using the HTTPS protocol. The good news is that it’s not as difficult as you might imagine to make the switch.
The SSL Takeaway
The government probably should have required federal websites and web applications to use HTTPS many years ago, but it’s better late than never. What do you think about the government finally moving to secure federal websites with SSL/TLS? Leave a comment below and share your opinion.