The White House Office of Management and Budget (OMB) issued the HTTPS-Only Standard directive (PDF). It requires all publicly accessible federal websites and web services to use secure HTTPS encryption by Dec. 31, 2016.
You may have noticed websites the have a “HTTPS” in their URL when you’re using them. The “S” added on to the usual “HTTP” signifies that data is encrypted between the senders and receivers.
Companies like Google, Facebook, Twitter and Yahoo! have already adopted HTTPS-only policies to protect visitors to their websites and services.
HTTPS layers the Hypertext Transfer Protocol (HTTP) on top of the Secure Sockets Layer (SSL) protocol or Transport Layer Security (TLS) protocol for secure communication over the Internet. It guarantees the integrity of the communications between two systems.
Unencrypted HTTP connections create a vulnerability and expose potentially sensitive information such as browser identity, website content, search terms, and other user-submitted information.
However, U.S. CIO Tony Scott points out in a blog post that HTTPS “is not designed to protect a web server from being hacked or compromised, or to prevent the web service from exposing user information during its normal operation.”
The HTTPS-Only standard will “eliminate inconsistent, subjective decision-making regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide.” By initiating this directive, OMB thinks they are speeding the adoption of HTTPS and promoting better privacy standards for the public.
OMB set up a dashboard website to show their progress on implementing the directive (https://pulse.cio.gov/https/domains/).
At the time of this post, only 31 percent of 1,192 federal websites are using HTTPS as of May 29.
- HTTPS-Only Standard directive (PDF)
- The HTTPS-Only Standard FAQ
- The proposed HTTPS-Only Standard for federal domains (GitHub)
- Secure HTTP (HTTPS) dashboard