In June 2015, the US chief information security officer (CIO) issued a memorandum to mandate HTTPS-only to secure Federal websites and web services. This policy is also known as Always-On SSL and HTTPS everywhere.
The majority of Federal websites use HTTP; however the CIO states that HTTP is susceptible to interception, manipulation and impersonation. This vulnerability can be mitigated by implementing an HTTPS-only policy which must be implemented to all existing sites and services by December 31, 2016. Monitoring of agency compliance can be viewed through their HTTPS Pulse.
The CIO also sends the message that “All browsing activity should be considered private and sensitive.” With the HTTPS-only standard, there will be no more subjective determinations as to which browsing activity is sensitive in nature. Such as position will mitigate known threats and increase confidence in the Federal government.
HTTPS is deployed using an SSL/TLS certificate issued from a trusted certification authority (CA). The CA performs validation to ensure the certificate requester owns or has control of the domain. For Federal sites, the department name and location will also be added to the certificate. This information is verified by the CA. Having a CA issued certificate on the website will prevent unidentified or untrusted websites from masquerading as a Federal website or service.
The CIO provides some challenges and considerations when deploying HTTPS-only. These items are also addressed on the HTTPS-Only Standard home page:
The CIO acknowledges that HTTPS-only will not come without cost. However, this does not outweigh the cost of eavesdropping on the taxpayer which could result in substantial losses to citizens.
In addition to privacy, HTTPS-only will also provide the following:
When deploying HTTPS-only, you should also consider using HTTP Strict Transport Security (HSTS). By including a header from your server, you can instruct a browser that your site should only be viewed over HTTPS. In all future visits to your site, modern browsers will expect HTTPS. If the site is provided without HTTPS, then a security warning will be presented which should indicate that this is not your site. Your site can be added to an HSTS preload list, which will mitigate the first-use attack on your site. Please note the Federal policy is to support HSTS by December 31, 2016.
HTTPS-only is a sound policy for the US Federal government. You should also consider protecting your users and their data by implementing HTTPS-only.