President Barack Obama's chief information officer, Tony Scott, issued a memorandum on Monday requiring that "all publicly accessible federal websites and web services only provide service through a secure connection." (A Web-native version of the memorandum and related materials are online.
[Original cartoon by Allie Bosh]
The memorandum states that the "strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS)" and gives federal agencies a Dec. 31, 2016, deadline to adopt the security standard.
HTTPS is a secure method of communication over a network. The acronym HTTPS combines Hypertext Transfer Protocol (HTTP), which you see in the address bar of every Web browser to the left of the domain name, with Secure Sockets Layer (SSL) or Transport Layer Security (TLS). Adding the extra layer helps protect the user.
"Unencrypted HTTP connections create a vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services," wrote Scott, in a blog post at WhiteHouse.gov. "This data can include browser identity, website content, search terms, and other user-submitted information. To address these concerns, many commercial organizations have already adopted HTTPS-only policies to protect visitors to their websites and services. Today’s action will deliver that same protection to users of Federal websites and services."
"I published a detailed pull request today that shows exactly what changed between the proposed version of the memo, and the final memo," said Eric Mill, a General Services Administration software engineer with the agency's tech development team, called 18F. "The most substantive change was setting a specific deadline of Dec. 31, 2016, which is a bit shorter than originally proposed. We also emphasized that higher priority sites should not wait until the end of the process, and added some explicit mention of best practices around forward secrecy and modern ciphers/protocols.
As a post about the move to HTTPS everywhere at 18F notes, the comments included widespread support for a security policy that virtually every major standards body, technology company and civil liberties organization stands behind.
"HTTPS everywhere makes the whole government stronger, and the whole Web stronger," Mill said in an interview. "There's some explanation on the HTTPS guidance site. This section describes the improved technical guarantees pretty well:"
By always using HTTPS, web services don’t have to make a subjective judgment call about what’s “sensitive”. This leaves less room for error, and makes deployment simpler and more consistent.
Widespread use of HTTPS also means that clients can begin assuming HTTPS with more confidence. Attacks designed to track large quantities of unencrypted traffic become less attractive.
Web browsers can begin displaying HTTPS connections as normal, and HTTP connections as non-secure. HTTPS validation failures can become more strict, reducing the effectiveness of phishing and user error.
These changed expectations improve the security of HTTPS on every website. In other words, protecting less sensitive sites strengthens the protections of more sensitive sites.
"It's also important to put this in the context of the Web's overall transition," said Mill.
When the White House published its proposal in March, the Internet Engineering Task Force, the group that develops voluntary Internet standards, and the World Wide Web Consortium, which enforces formal standards, both published statements supporting a Web that's secure by default. The browser Chrome had announced it planned to mark HTTP as "affirmatively non-secure".
Firefox also announced plans to deprecate HTTP, and the online ad industry's chief trade group called for HTTPS for ads. Both cited the government's proposal, Mill said. "18F's blog post ends with a paragraph that sums up how we feel about that:"
As a provider of vital public services, the U.S. government has a responsibility to keep up with web standards and evolving best practices. As the birthplace of the Internet, the U.S. government has a special responsibility to support the Internet's long-term health and vitality. This new policy, and the leadership it demonstrates, will help the U.S. meet those responsibilities and help the Internet remain a safe place for its users around the world.
Imagine if someone searched for sensitive health information online and visited a government website, AIDS.gov. With HTTPS, the person's identity could be obscured. Notably, AIDS.gov was one of 19 .gov websites that moved to HTTPS in February. (Equally notably, it wasn't using it before then.)
At a time when American attitudes about privacy, security and surveillance reflect widespread unease with data collection and control, this is unequivocally good news.
As I wrote earlier this year, reporting on the news that WhiteHouse.gov had shifted to HTTPS, a .gov website using HTTPS encryption by default is a perfect example of “privacy by design."
This is also good news for making government websites more visible on Google, the world's largest search engine. Last year, Google announced that it would boost the search rankings of HTTPS-protected sites.
Moving to HTTPS by default isn't a panacea for securing the traffic of citizens online or their data on government servers, as Scott acknowledged in his blog post.
"HTTPS only guarantees the integrity of the connection between two systems, not the systems themselves," Scott wrote. "It is not designed to protect a web server from being hacked or compromised, or to prevent the web service from exposing user information during its normal operation. An HTTPS-Only standard, however, will eliminate inconsistent, subjective decision-making regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide."
The White House directing every agency with a federal website to move to HTTPS everywhere will add some costs. The Office of Management and Budget is providing technical assistance to government agencies.
The memorandum doesn't address how the federal government is going to respond to ongoing concerns about maintaining digital certificate security.
Certificate authorities, like Symantex, Comodo or GlobalSign in the private sector, issue digital certificates that verify whether the named subject of a public key used in encryption is in fact the owner of that key and may be trusted to form a secure HTTPS connection. In the wake of last year's OpenSSL bug, revocations of these certificates shot up.
This may create trouble for government webmasters in the switch to HTTPS, an alert commenter pointed out in March. "The U.S. government Treasury root certificate for SSL is not accepted by most browsers, and many gov orgs don’t have budget for commercial cert[ificates]," wrote Jon Verve. "If this goes forward as mandate, then we will see a ton of folks getting the red bold screen 'this certificate is not trusted' error. 18F may not realize how much work is required to get this systemic issue fixed."
There's also reason to be skeptical of whether the U.S. government will be able to meet the deadline for compliance with a presidential memorandum, especially one issued in the last quarter of the Obama administration. In 2005, the Bush administration issued a memorandum mandating that federal IT purchases include capabilities for a next-generation network standard when possible. In 2012, the Obama administration issued another memorandum that defined adoption milestones for the IPv6 network standard, including one to "Upgrade public/external facing servers and services" should "operationally use native IPv6 by the end of FY 2012."
That hasn't happened. While the government's adoption of IPv6 is outpacing the private sector, at an estimated 55 percent, data from the government's National Institute of Standards and Technology shows that federal agencies are far behind what Obama directed three years ago.
"I think there's reason for optimism about overall uptake and compliance," said Mill, when asked about the issue. "Last week, 18F, in collaboration with the Office of Government-wide Policy here at GSA (which runs the .gov registry, among other things) released a public dashboard called Pulse that monitors participation in the Digital Analytics Program, and HTTPS deployment."
"Pulse isn't a perfect status dashboard for the policy," said Mill. "For now, it only measures parent .gov domains and not subdomains, and the big percentage number for HTTPS measures use and not enforcement/HSTS.
When asked about the potential adoption curve, he was optimistic.
"While I don't work on IPv6, I think it's important to note that deploying IPv6 and HTTPS are very different, and the overall state of deployment in the world reflects that," said Mill.
"IPv6 requires tearing up infrastructure (and replacing actual hardware all over the world), and support for IPv6 isn't always present in support software and commercial services. HTTPS, on the other hand, has been around since the late-90s, and just about every bit of network hardware and software out there supports it. Properly configured, it Just works today, and that's a big part of why adoption has been seeing such uptake on the Web generally."
Editor's Note: The original headline of this article stated that White House mandated 'HTTPS Everywhere' for federal websites. HTTPS Everywhere is a Web browser extension made by the Electronic Frontier Foundation that encrypts a user's communications with websites. We've updated the headline to make sure readers are not confused. -ABH