Beginning October 1, all UK government services websites will need to ensure that they use HTTPS encryption with HSTS protection against downgrade attacks (attacks trying to switch users to using the HTTP version of the site). DMARC, an email authentication protocol, will also have to be supported to increase the security of these services’ emails.
A year ago, the U.S. government announced that all federal websites will have to use HTTPS encryption within 18 months. This was part of a bigger plan to improve the security of federal agencies’ websites and systems, following major data breaches such as the OPM (Office of Personnel Management) hack.
It stands to reason that not just the data of federal employees should be protected, but also the data of the people who visit these federal websites. HTTPS encryption can protect their data and their privacy, and it could also protect them from man-in-the-middle attacks or from getting malware by connecting to the government’s own websites.
HTTPS And HSTS
The UK government laid out its own plans to use HTTPS encryption for government services back in 2012, but it was more of an encouragement rather than an obligation. The service managers now have an October 2016 deadline to enable HTTPS for their public websites.
The government is also mandating that the websites use HSTS (HTTP Strict Transport Security), a security feature that can “pin” the HTTPS encryption in people’ browsers when they first connect to such websites. However, to further ensure that they will always connect over HTTPS, the UK government will submit the service.gov.uk domain to browser makers’ HSTS preload lists this September. Services websites that work only over unencrypted connections will stop working on modern browsers after the October deadline.
The UK government also mandated that all services use the DMARC protocol for email authentication, as well. The DMARC policies will ensure that the emails being received aren’t sent by scammers and phishers.
All services should publish a DMARC policy and set it to the highest level, called “p=reject.” If this policy is not set up by October 1, 2016, the emails may be rejected by external email providers. As a temporary measure, if service managers can’t set up this policy by the deadline, they could override it with “p=none.”
The UK government aims to increase the trust its citizens have in its public services and their websites. Thanks to these new security measures, people can trust that their information is safe when given to the government in an online form, for instance (although storing that data securely is a whole different issue).
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.