UK Government Websites To Be Secured By HTTPS, HSTS, DMARC By October 2016

Beginning October 1, all UK government services websites will need to ensure that they use HTTPS encryption with HSTS protection against downgrade attacks (attacks trying to switch users to using the HTTP version of the site). DMARC, an email authentication protocol, will also have to be supported to increase the security of these services’ emails.

A year ago, the U.S. government announced that all federal websites will have to use HTTPS encryption within 18 months. This was part of a bigger plan to improve the security of federal agencies’ websites and systems, following major data breaches such as the OPM (Office of Personnel Management) hack.

It stands to reason that not just the data of federal employees should be protected, but also the data of the people who visit these federal websites. HTTPS encryption can protect their data and their privacy, and it could also protect them from man-in-the-middle attacks or from getting malware by connecting to the government’s own websites.


The UK government laid out its own plans to use HTTPS encryption for government services back in 2012, but it was more of an encouragement rather than an obligation. The service managers now have an October 2016 deadline to enable HTTPS for their public websites.

The government is also mandating that the websites use HSTS (HTTP Strict Transport Security), a security feature that can “pin” the HTTPS encryption in people’ browsers when they first connect to such websites. However, to further ensure that they will always connect over HTTPS, the UK government will submit the domain to browser makers’ HSTS preload lists this September. Services websites that work only over unencrypted connections will stop working on modern browsers after the October deadline.


The UK government also mandated that all services use the DMARC protocol for email authentication, as well. The DMARC policies will ensure that the emails being received aren’t sent by scammers and phishers.

All services should publish a DMARC policy and set it to the highest level, called “p=reject.” If this policy is not set up by October 1, 2016, the emails may be rejected by external email providers. As a temporary measure, if service managers can’t set up this policy by the deadline, they could override it with “p=none.”

The UK government aims to increase the trust its citizens have in its public services and their websites. Thanks to these new security measures, people can trust that their information is safe when given to the government in an online form, for instance (although storing that data securely is a whole different issue).

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Kimonajane
    No worries just run the NSA co-authored Windows full of built in back doors and you'll be safe from anyone, LOL.
  • Haravikk
    Ah the slow speed of technology in government. It's good to see them finally moving forward with this; I assume they're doing more than just adding DMARC though, as this also requires SPF and DKIM.

    It also really needs to come with strict requirements for algorithms, as many that are usable in HTTPS are no longer recommended, so HTTPS alone is not enough if you have weak encryption schemes enabled. I'd like to see them keep up to date with developments on these issues.
  • Virtual_Singularity
    Interesting. The UK govt, on the one hand, insists affiliated agencies take common sense precautions and more when it comes to security for their own sites, all the while encouraging common citizens not to routinely change their passwords (citing the inconvenience it poses), and mulls over removing encryption for them as well. Brilliant!