The U.S. government is taking a major step to secure its online assets with a new directive from the White House Office of Management and Budget (OMB) to run HTTPS-Only across all federal Websites. The HTTPS-Only directive, which Federal CIO Tony Scott issued June 8, mandates that all publicly accessible federal Websites only be accessible over a secure HTTPS connection by Dec. 31, 2016.
HTTPS is the secured form of HTTP that layers Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption on top of data transport and it is mostly commonly visible to end-users as the browser padlock. The Web as we know it today runs largely over plain HTTP, with all data sent in the clear that is unencrypted and open to anyone to intercept and read.
In the directive, the White House notes that a significant number of federal Websites already have deployed HTTPS, and the goal is to expand that adoption. That said, there is a cost to implementing HTTPS.
"The administrative and financial burden of universal HTTPS adoption on all federal Websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time," the directive states. "OMB affirms that tangible benefits to the American public outweigh the cost to the taxpayer."
HTTPS isn't just about encrypting data for its own sake but is also about authenticity. With an HTTPS-secured Website, there is an associated SSL/TLS certificate that validates and affirms the identity and authenticity of a given site. Simply put, when you visit an HTTPS site with a validated certificate, users have a higher degree of assurance that the site they intended to visit is the site they are on.
I personally have long been an advocate of Always-On SSL/HTTPS-Only approaches. In fact, I recently did an eSeminar sponsored by Geotrust on whether or not Always-On SSL makes sense for enterprises. My conclusion is that an Always-On SSL/HTTPS-Only approach is the right thing to do—for many reasons that the U.S. government is now embracing as well.
The Web by default is not secure. Basic HTTP Web transport provides no promise or expectation of privacy or authenticity. The promise of HTTPS is an encrypted Web with some form of validated identity for Website authenticity. It's an idea that Google, Facebook and Twitter have all embraced, as well, as all those sites are already HTTPS-Only.
For Google, the embrace of HTTPS-Only also extends to its search index—which, as of August 2014—uses HTTPS as a ranking signal. That is, Google may rank a site that is available over HTTPS higher in the search index than a site that is not HTTPS-Only.
In the case of the government mandate, having HTTPS-Only for its sites will create a level of consistency across its sites. Users will come to expect and understand that if they hit a site that claims to be a government site but doesn't have HTTPS (and the associated browser padlock that it brings), the site's authenticity is questionable.
"It is critical that federal Websites maintain the highest privacy standards for the users of its online services," Scott wrote in a White House blog post. "With this new action, we are driving faster Internet-wide adoption of HTTPS and promoting better privacy standards for the entire browsing public."
I couldn't agree more.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.