The HTTPS switch will be flipped on by default for new sites

Jan 20, 2017 09:31 GMT  ·  By

All new .gov websites in the United States will default to HTTPS starting this year, in an attempt to bolster security of government pages that are often attacked by hackers.

The Obama administration previously set a December 31 deadline for all government websites to switch to HTTPS, but according to unofficial stats, only some 60 percent of these websites actually completed the transition.

Starting with 2017, however, all new .gov websites will have HTTPS automatically enabled, the General Services Administration announced earlier today.

“As new executive branch domains are registered, the dotgov.gov program will submit them to web browsers for “preloading”. After submission, it can take up to three months before preloading takes effect in modern web browsers. The change will be introduced to dotgov customers when they register a new domain under the Executive Branch, and will not affect existing or renewed domains,” the announcement reads.

HTTPS even for the intranet

GSA says that HTTPS will be applied to all subdomains of newly registered executive .gov websites, including intranet websites, emphasizing that sticking with HTTP even for intranet is not secure and “discouraged.”

As far as the target date is concerned, GSA claims it’s aiming for this new measure to come into effect in the spring of 2017, and domain customers will be notified 30 days before the change takes place.

“GSA provides extensive guidance to agencies on HTTPS deployment at https.cio.gov, and encourages .gov domain owners to obtain low cost or free certificates, trusted by the general public. As a general matter, more expensive certificates do not offer more security value to service owners, and automatic deployment of free certificates can significantly improve service owners’ security posture,” the GSA adds.

The GSA isn’t the only organization trying to push websites to HTTPS, as tech companies themselves are trying to encourage the addition of the more secure standard.

Google, for instance, is warning users when they access non-HTTPS website asking for private information such as passwords and credit card data in an attempt to prevent breaches and ID thefts.