White House wants to encrypt every federal website

In a move to improve privacy protections for people dealing with the government, the White House has proposed that all federal websites, including Defense department sites, begin using the HTTPS protocol within two years.

Most federal websites use the unencrypted HTTP—Hypertext Transfer Protocol—connection, which can leave users open to eavesdropping, tracking and manipulation or theft of sensitive information, according to the HTTPS-Only Standard posting on the site of the federal CIO. HTTPS, or HTTP Secure, adds Transport Layer Security encryption, the White House said, which can secure the connection.

“HTTPS verifies the identity of a website or web service for a connecting client, and encrypts nearly all information sent between the website or service and the user,” the post states. “Protected information includes cookies, user agent details, URL paths, form submissions, and query string parameters. HTTPS is designed to prevent this information from being read or changed while in transit.”

The CIO’s office says HTTPS uses Transport Layer Security, although the “S” in HTTPS also can stand for Secure Sockets Layer encryption. And although HTTPS is not invulnerable to hacking, breaking it isn’t particularly easy and using either standard would bolster security.

The Office of Management and Budget has released a draft proposal for the HTTPS-Only policy. If formally adopted, it would give federal sites two years to comply, also applying to federal sites run by contractors.

HTTPS has been around for decades, and is currently used on many popular websites, including Google, Facebook and most e-commerce sites. The layer of encryption does add some computing overhead, potentially slowing things down, but the growth of broadband connections and faster hardware and software in recent years has made the latency imperceptible for many users and made wider use of HTTPS more feasible.

Within the Defense Department, use of encryption to date has tended to depend on whether websites hold personal information. For example, general access sites that disseminate public information, such as Defense.gov, or the Defense Advanced Research Projects Agency’s website, currently don’t use HTTPS. Sites that would hold personal information or host transactions, such as Army Knowledge Online and the Navy-Marine Corps Intranet, do. OMB’s proposal encourages employee intranets to use HTTPS but would not require it.

Although the proposal would apply to all government websites, it encourages agencies to give priority to “Web services that involve an exchange of personally identifiable information (PII), where the content is unambiguously sensitive in nature, or where the content receives a high-level of traffic.”

Upgrading all websites to HTTPS would involve development time, the cost of procuring a security certificate and extra maintenance over time, according to the CIO’s posting, but the “tangible benefits to the American public outweigh the cost to the taxpayer.”

The Obama administration has set up a page on GitHub to solicit feedback on the proposal.