HTTPS For All

With the release of a new dashboard to measure best Web practices in the federal government and the establishment of a government-wide HTTPS Only Standard, the time to make the switch to HTTPS has arrived. Agencies have until December 31, 2016, to make the switch. The move to HTTPS is not only happening in government; it is also becoming the standard in industry as well. Firefox and Chrome have begun taking actions to phase out HTTP to make browsing more secure.

The use of HTTPS allows browsers to provide a more secure experience to the end user. Many ask why there is a need for HTTPS on all sites, even those that do not collect personally identifiable information (PII). Eric Mill, a technologist at 18F, believes that everything you do online should be secure.

“All browsing is private and sensitive,” said Mill. “Anything you do online over an insecure connection opens you up to being tracked or having the website you’re trying to visit spoofed or modified. HTTPS ensures that your activity stays between you and the website you visit. As HTTPS becomes the default for the government and for the Web, browsers can start making stronger assumptions about all websites, and so the use of HTTPS even on less sensitive sites improves security for everyone, including more sensitive sites.”

The HTTPS policy will make HTTPS the default across the federal government, improving the privacy and security of its visitors and API users around the world.

Agencies implementing HTTPS can refer to the CIO Council’s website for technical guidance and best practices and can contribute to that site and collaborate publicly on HTTPS implementation on GitHub. Anyone with a .gov or .mil email address can participate in an HTTPS support list by emailing the listserv—leave the subject line empty and add “subscribe https-help” to the body.

Norms change quickly. The use of HTTPS ensures the highest level of protection for the government’s end user: the public.