14 DAY TRIAL // Starting 2017, all publicly accessible federal websites and online services in the US must provide visitors extra security for the information exchanged by implementing support for the HTTPS (Hypertext Transfer Protocol Secure) secure communication protocol.
The White House Office of Management and Budget (OMB) issued the HTTPS-Only standard directive on Monday, following a period of public comment and suggestions that began when it was first proposed in March.
The feedback received from various Internet standard bodies, web browsers and users was used to improve the final policy.
A secure channel between the citizens and government web resources
As of March 29, only 31% of the almost 1,200 federal websites offered support for HTTPS connections, and in some cases, there were issues with the strength of the cryptographic hash algorithm (SHA-1) used for the domain certificate signature.
In the memorandum for the heads of executive departments and agencies, the US Chief Information Officer Tony Scott offers a description of the security benefits and limitations of HTTPS.
While a secure connection to a federal website mitigates the risk of exposing sensitive information by preventing eavesdropping, tracking and altering of the data, it does not protect web servers against cyber intrusions.
Encrypted connections cannot hide IP addresses, destination domains or indirect details like the time spent on the site and the size of the information requested and exchanged.
One of the most important aspects is that if either parties is compromised, HTTPS is no longer an efficient solution for secure data exchange and the attacker has control over the connection.
Switching to the new standard won't be easy
Moving to HTTPS is not an easy or cheap endeavor because all resources (images, scripts, fonts, iframes) available on a government’s site need to be loaded over a secure connection.
“When migrating existing websites, this can involve a combination of automated and manual effort to update, replace, or remove references to insecure resources. For some websites, this can be the most time consuming aspect of the migration process,” Scott highlights as one of the challenges.
Also, implementation of the secure standard needs to be done in a way that would allow addressing potential security issues in a timely manner.
Failure to replace certificates, update encryption ciphers or move to a newer protocol version represent major risks that can be exploited by threat actors.
On the other hand, by implementing HTTPS support across all federal resources, a stronger privacy standard is created which eliminates the need to determine content or browsing activity deemed to be sensitive in nature.