U.S. Federal Government Will Adopt HTTPS For All Of Its Websites
Following a catastrophic Office of Personnel Management (OPM) hack, where the data of over 4 million federal employees was stolen, as well as other private sector data breaches, the U.S. government seems to be getting more serious about defensive online security instead of simply using the "cybersecurity" rhetoric to pass more surveillance laws.
The White House Office of Management and Budget (OMB) issued today the "HTTPS-Only Standard" directive (PDF), which will require all federal websites and services to use secure HTTPS connections. All federal websites will have to use this standard by December 31, 2016, so most federal services will likely still remain unencrypted for the next one and a half years.
A public dashboard has already been created to monitor the progress of these websites in adopting HTTPS. By the looks of it, almost a third already use HTTPS, but with varying degrees of security. The creators of the dashboard have added SSL Lab's grading system, which shows that even if some sites use HTTPS, they only get the grade "F" for the strength of their security.
The fact that the dashboard and the security grading exists will hopefully mean that those in charge of upgrading certain federal websites to HTTPS will be encouraged to adopt the strongest possible security.
The OBM believes that the HTTPS-only standard will eliminate inconsistent decisions about which content should be secured and which shouldn't be. This will ultimately create a stronger standard for privacy across the government's federal services.
The Chrome and Firefox browsers will eventually deprecate the use of HTTP on the Web, too, which means it was only a matter of time before the government had to move to using only HTTPS connections. The transition will still take up to 18 months, so this seems like the right time to do it.
The HTTPS-only directive is a great step in the right direction and one that probably should have happened years ago, but as the OPM data breach showed, much of the data the government keeps in its databases isn't even encrypted.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
HTTPS only encrypts data in transit, but it doesn't prevent the data from being stolen. If it is stolen, it can also be used or sold by malicious hackers if it's not encrypted. Therefore, rather than making encryption public enemy #1, it might be wiser to embrace and quickly adopt such strong encryption everywhere in the government. The FBI and other agencies should also encourage (as they once did) private companies and users to protect themselves with strong encryption and security practices against malicious hackers.
Follow us @tomshardware, on Facebook and on Google+.
-
jaber2 I'm honestly shocked to know that their websites were not already using HTTPS.
Next they will start using firewall -
joesavy86 I'm honestly shocked to know that their websites were not already using HTTPS.
Next they will start using firewall
I lol'd at this.
-
ChromeTusk It's about time! I just hope they don't go with the lowest bidder when equipment needs upgrades.Reply -
none12345 "I'm honestly shocked to know that their websites were not already using HTTPS. "Reply
You shouldn't be. All the time you hear about 'hackes' getting into government computers when all they do is just log in with a blank password. Ya that's right, a massive number of government computers have blank administrator passwords.
Here is a british guy who logged into 97 government computers with blank passwords in 2001-2002 http://en.wikipedia.org/wiki/Gary_McKinnon
Security on most government systems is more then just a joke.