The Office of Management and Budget wants to know what it would take to make every federal public websites more secure and ensure their validity for citizens and businesses.
In a draft proposal released today, the White House seeks input from public and private sector experts on how best to implement a standard called secure HTTP.
“HTTPS verifies the identity of a website or Web service for a connecting client, and encrypts nearly all information sent between the website or service and the user. Protected information includes cookies, user agent details, URL paths, form submissions, and query string parameters. HTTPS is designed to prevent this information from being read or changed while in transit,” OMB wrote in seeking request for comments. “HTTPS only guarantees the integrity of the connection between two systems, not the systems themselves. It is not designed to protect a Web server from being hacked or compromised, or to prevent the Web service from exposing user information during its normal operation.”
The White House moved its website to HTTPS earlier this month as did the Federal Trade Commission on March 6.
“While we have long provided secure transport for FTC domains that handle sensitive consumer data, such as complaint data and email subscriptions, consumers will now browse our entire site more privately, and their browsers will automatically verify the identity of the website to which they’re connecting — an important step to mitigate attempts to impersonate the FTC,” wrote Ashkan Soltani, FTC’s chief technologist in a blog post. “Transit encryption is an important safeguard against eavesdroppers and has been the subject of previous investigations where we alleged companies failed to live up to their security promises when collecting personal information. It’s an important step when websites or apps collect personal information, and is a great best practice even if they don’t.”
But a draft proposal from OMB is a much bigger deal than just each agency making its own decisions. The White House says several agencies already have moved to secure HTTP and it wants to increase adoption.
That’s why OMB is asking for public input.
The draft proposal would require agencies to deploy HTTPS on federal domains based on specific criteria.
Newly developed websites and services at all federal agency domains or subdomains must adhere to this policy upon launch.
For existing websites and services, agencies should prioritize deployment using a risk-based analysis. Web services that involve an exchange of personally identifiable information (PII), where the content is unambiguously sensitive in nature, or where the content receives a high-level of traffic should receive priority.
Agencies must make all existing websites and services accessible through a secure connection HTTPS-only, with HTTP Strict Transport Security (HSTS) within two years.
The use of HTTPS is encouraged on Intranets, but not explicitly required. OMB defines an Intranet as a network not accessible through the public Internet.
Additionally, OMB wants comments about challenges such as site performance and server name indication extension, which “allows for more efficient use of IP addresses when serving multiple domains. However, these technologies are not supported by some legacy clients. Web service owners should evaluate the feasibility of using this technology to improve performance and efficiency,” OMB wrote.
The administration also seeks insight into the cost factors that come with this move to a more secure standard.
“The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time,” OMB wrote. “The development burden will vary substantially based on the size and technical infrastructure of a site. The proposed compliance timeline provides sufficient flexibility for project planning and resource alignment.”
The administration added that the benefits to the public outweigh the costs as even one unofficial or malicious website that says it belongs to the federal government could result in severe damage to the government’s reputation and trust by citizens.
This isn’t the first time the White House is trying to improve the security of agency websites. In 2008, OMB required agencies to implement Domain Name System Security (DNS-Sec). In its latest cyber report to Congress, OMB stated that 92 percent of all dot-gov domains met DNS-Sec standards.
OMB says the move to HTTPS would add another layer of protection to sites that already use the DNS-Sec standard.