More and more, big tech companies like Google and Yahoo are adopting default HTTPS encryption for their sites and services to protect users. Adding the S on to the usual HTTP signifies that data is encrypted between the senders and receivers, so no one else (like hackers or Internet service providers) can peek in on the data. And the White House wants to bring government websites on board, too.
On Monday, the Office of Management and Budget published the aptly named HTTPS-Only Standard directive. It mandates that all federal websites that are readily accessible to the public must use HTTPS encryption. First proposed in March, the directive states that all federal websites must comply by Dec. 31, 2016. Not exactly a tight deadline, but probably realistic given the reality of government IT.
“Unencrypted HTTP connections create a vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services. This data can include browser identity, website content, search terms, and other user-submitted information,” Tony Scott, the U.S. chief information officer, wrote in a blog post.
According to a site set up to monitor the transition, only 31 percent of federal websites use HTTPS as of May 29, and even fewer make it mandatory. It’s going to be a long road to 2017, but at least some agencies have already made it a priority. For example, the Federal Trade Commission switched to HTTPS by default in March. “Transit encryption is an important safeguard against eavesdroppers and has been the subject of previous investigations where we alleged companies failed to live up to their security promises when collecting personal information,” FTC Chief Technologist Ashkan Soltani wrote at the time.
Implementing HTTPS won’t help with the other types of data breaches government agencies have been dealing with lately, but it will bring government websites up to speed with a best practice that can really make a difference for site visitors.