The US has announced that all government websites must use HTTPS by 30 December 2016.
The memorandum issued by the Executive Office of the President declared ” all publicly accessible Federal websites and web services only provide service through a secure connection. The strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS)”.
An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position the Federal Government as a leader in Internet security, the memorandum stated.
“An HTTPS-Only standard will eliminate inconsistent, subjective determinations across agencies regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide. Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and may reduce their confidence in their government”, states the memorandum.
The Memorandum stipulates a number of guidelines for agency implementation:
- All new federal government websites and services at all Federal agency domains or sub-domains must adhere to the policy upon launch
- Existing websites and services, agencies should prioritize deployment using a risk-based analysis.
- Web services that involve an exchange of personally identifiable information, where the content is unambiguously sensitive in nature, or where the content receives a high-level of traffic should receive priority and be migrated as soon as possible.
- All existing federal government websites and services to be made accessible through a secure connection by December 31, 2016.
- The use of HTTPS is encouraged on intranets, but not explicitly required.
A public dashboard has been established to monitor agency compliance.
US Federal Trade Commission Chief Technologist Ashkan Soltani announced “Im pleased to announce that our agency has enabled encryption by default (HTTPS) for ftc.gov”, on its blog. “While we have long provided secure transport for FTC domains that handle sensitive consumer data, such as complaint data and email subscriptions, consumers will now browse our entire site more privately, and their browsers will automatically verify the identity of the website to which they’re connecting – an important step to mitigate attempts to impersonate the FTC” wrote Mr Soltani.
View the HTTPS Only Standard.