The White House Office of Management and Budget (OMB) issued a memorandum on Monday directing all publicly accessible federal websites and web services to only provide service though a secure and encrypted HTTPS connection, called the HTTPS-only standard.
“Unencrypted HTTP connections create a vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services,” Tony Scott, Federal Chief Information Officer (CIO), said in an OMB blog post on the memo.
Unsecured websites can expose data including browser identity, website content, search terms, and other user-submitted information. While many federal websites have already deployed HTTPS, the memo directs the rest to implement the change by Dec. 31, 2016.
HTTPS verifies the identity of a website or service for a connecting client and encrypts almost all of the information sent between the site and the user, the memo said. Protected information includes cookies, user agent details, URL paths, form submissions, and query string parameters. The encrypted service prevents the information from being read or changed in transit.
HTTPS is a combination of HTTP and Transport Layer Security (TLS), “a network protocol that establishes an encrypted connection to an authenticated peer over an untrusted network,” the memo said.
Browsers and HTTPS client are configured to trust a set of certificate authorities that can issue certificated signed cryptographically for web service owners. The certificates tell users that the web service host proved ownership of the domain at the time the certificate was issued. This prevents untrusted websites from impersonating federal websites or services.
HTTPS does not encrypt IP addresses or destination domain names, however. The encryption does also not prevent the indirect viewing of information like time spent on a site, or the size of requested resources or submitted information.
The HTTP-only standard includes a transition cost. “OMB affirms that tangible benefits to the American public outweigh the cost to the taxpayer. Even a small number of unofficial or malicious websites claiming to be federal services, or a small amount of eavesdropping on communication with official U.S. government sites could result in substantial losses to citizens,” the memo said.
The memorandum provides guidelines for federal agencies. Newly developed websites and services within agency domains must adhere to the policy upon launch while the transitions for existing websites and services should be prioritized using a risk-based analysis.
“Web services that involve an exchange of personally identifiable information (PII), where the content is unambiguously sensitive in nature, or where the content receives a high-level of traffic should receive priority and migrate as soon as possible.“
A website providing technical assistance and best-practices procedures for the transition to HTTPS was made available by CIO office.
A public dashboard was also created to monitor agency compliance with this directive. It notes federal domains that implement HTTPS (uses); domains that enforce, or default to HTTPS; domains that ensure supporting browsers will only ever communicate over HTTPS (HTTP Strict Transport Security of HSTS) ; and a grade measuring the quality of HTTPS configuration as calculated by SSL Labs.
According to the dashboard, 31percent of federal government domains use HTTPS as of publication. That includes 40 percent for the Department of Energy, 53 percent of General Services Administration, 22 percent of Congress/the legislative branch, 77 percent of the Executive Office of the President, 44 percent of the Department of Homeland Security, 30 percent of the Defense Department, 67 percent of the Central Intelligence Agency, 50 percent of the State Department, 57 percent of the Office of Personnel Management, 60 percent of NASA, and 0 percent of the National Security Agency. Nearly all of those enforce HTTPS at a lower rate than use it.
OMB first proposed an HHTPS-Only standard in March and requested public feedback. It received various comments and suggestions.
The use of HTTPS in intranets is also encouraged but not required.