In June 2015, the US chief information security officer (CIO) issued a memorandum to mandate HTTPS-only to secure Federal websites and web services. This policy is also known as Always-On SSL and HTTPS everywhere.
The majority of Federal websites use HTTP; however the CIO states that HTTP is susceptible to interception, manipulation and impersonation. This vulnerability can be mitigated by implementing an HTTPS-only policy which must be implemented to all existing sites and services by December 31, 2016. Monitoring of agency compliance can be viewed through their HTTPS Pulse.
The CIO also sends the message that “All browsing activity should be considered private and sensitive.” With the HTTPS-only standard, there will be no more subjective determinations as to which browsing activity is sensitive in nature. Such as position will mitigate known threats and increase confidence in the Federal government.
HTTPS is deployed using an SSL/TLS certificate issued from a trusted certification authority (CA). The CA performs validation to ensure the certificate requester owns or has control of the domain. For Federal sites, the department name and location will also be added to the certificate. This information is verified by the CA. Having a CA issued certificate on the website will prevent unidentified or untrusted websites from masquerading as a Federal website or service.
The CIO provides some challenges and considerations when deploying HTTPS-only. These items are also addressed on the HTTPS-Only Standard home page:
- Site Performance – Not an issue with modern software and hardware. Also, performance may increase if the site uses HTTP/2 which requires HTTPS in most modern browsers.
- Server Name Indication (SNI) – Allows for more efficient use of IP addresses when serving multiple domains; however, SNI might not be supported by some legacy clients.
- Mixed Content – Ensure all external resources are loaded over HTTPS; otherwise, modern browsers may refuse to load items or show a trust error message.
- APIs and Service – These may need to be migrated as they may not be served securely.
The CIO acknowledges that HTTPS-only will not come without cost. However, this does not outweigh the cost of eavesdropping on the taxpayer which could result in substantial losses to citizens.
In addition to privacy, HTTPS-only will also provide the following:
- Mitigates Known Vulnerabilities – Firesheep and SSLstrip are known applications which can allow an attacker to obtain user information. HTTPS-only will mitigate these attacks.
- Search Engine Optimization – Google is providing sites protected with HTTPS a higher search ranking.
- Web Site Performance – As sites move to HTTP/2 they will need to support HTTPS as most modern browsers will not support HTTP/2 without a secure connection.
- Future Proof – Interesting that browser provide security messages for secure sites, but provide no security message for insecure sites. As we move forward browsers such as Chrome and Firefox are considering providing security messages for sites which are not protected with HTTPS.
When deploying HTTPS-only, you should also consider using HTTP Strict Transport Security (HSTS). By including a header from your server, you can instruct a browser that your site should only be viewed over HTTPS. In all future visits to your site, modern browsers will expect HTTPS. If the site is provided without HTTPS, then a security warning will be presented which should indicate that this is not your site. Your site can be added to an HSTS preload list, which will mitigate the first-use attack on your site. Please note the Federal policy is to support HSTS by December 31, 2016.
HTTPS-only is a sound policy for the US Federal government. You should also consider protecting your users and their data by implementing HTTPS-only.