The White House Office of Management and Budget has published a new standard recommending full HTTPS on all federal web sites and web services. They are accepting public comments until April 14; if you care about privacy and security, you should weigh in.
This post is our public comment: we whole-heartedly support the federal government's adoption of this essential cybersecurity standard. We also urge all state, local, and national governments worldwide to follow suit, as soon as possible.
HTTPS, the secure version of HTTP, protects web browsing activity by encrypting and authenticating everything sent between an individual and a web server. It is rapidly replacing insecure HTTP on the Internet and security experts are making plans to provide warnings when accessing HTTP pages.
Without HTTPS, a person's browsing activity can be monitored by anyone who controls their network or simply uses the same WiFi network (using a technique called ARP poisoning). For many people, the list of possible snoops could include their employer, school, ISP, national spy agencies, parents, spouse, and/or fellow library patrons. HTTPS is not a silver bullet for all security and privacy problems,1 but no site can be secure or private without it.
Unfortunately, federal web sites have lagged far behind industry in implementing HTTPS. The most popular commercial web sites, like Google, Facebook, and Twitter, have used HTTPS-only for years. But many federal web sites don't implement HTTPS at all, making it impossible to access them securely. Other sites implement HTTPS, but don't make it the default. And some offer HTTPS but with out-of-date, insecure software and configurations.
Government web sites receive a wide array of confidential information. That information absolutely needs to be protected from eavesdropping. But HTTPS doesn't just protect uploaded information like social security numbers. It also protects the confidentiality of what people read. A few examples of how failure to deploy HTTPS puts citizens at risk:
- A worker downloading information about her right to organize could by spied on by their employer and subjected to reprisals.
- A veteran's affairs employee seeking to report fraud anonymously could be illegally spied on by another arm of the government and unmasked for retaliation.
- A US citizen abroad, seeking gender reassignment information from the State Department, could be outed by local network snoops and imprisoned or killed.
- An African-American denied the right to vote who seeks to make a complaint to the Justice department could be spied on and intimidated by local officials.
This is just a sample of the many protected groups who need and deserve real confidential access to government services.
Fortunately, deployment of HTTPS is easier and cheaper than it has ever been. We call on the federal government to implement the HTTPS-Only Standard as quickly as possible. State, local, and national governments worldwide should do the same.
If you agree, please share your views with the government by submitting a public comment to the Office of Management and Budget, either by email, or through GitHub. We also encourage you to contact your state governor and CIO requesting implementation of the HTTPS-Only Standard.
- 1. For instance, HTTPS can't guarantee that sites don't have security bugs like CSRF or XSS vulnerabilities; without additional protections like Tor, a Web user's anonymity can still be at risk because the IP address of their computer and the servers they communicate with are still exposed to network observers; without tools like Privacy Badger users may be vulnerable to various forms of third party tracking. Even less obviously, in some cases the content a user is downloading or the features of a site they are using can be inferred by an observer performing traffic analysis on the size of packets they are sending and receiving.