The White House is planning to mandate that all agency websites use HTTPS encryption to protect citizens from online eavesdroppers. While the "HTTPS-Only Standard" makeover likely won’t happen overnight, privacy proponents cheered the effort.
Today, hundreds of the federal government's roughly 1,200 websites, including IRS.gov, still use the insecure protocol, HTTP. It was only last week WhiteHouse.gov, yielding to criticism, switched to HTTPS or Hypertext Transfer Protocol.
It is unclear when the proposed policy will be finalized. The deadline for feedback on the proposal is March 31, according to a new HTTPS-secure website promoting the initiative.
Agencies would have two years to comply, once a final policy is issued. Layering the technology over existing communications lines typically carries some costs.
Many e-commerce sites have long embraced HTTPS by default. And increasingly, law firms are moving to insulate their clients from snooping. That is partly the work of Christopher Soghoian, an American Civil Liberties Union principal technologist, who for many, many months has been enticing attorneys (and media outlets) with free bottles of whiskey, in jest, to turn on HTTPS. [Full disclosure: Nextgov.com does not use HTTPS.]
"I won't be buying whiskey for all federal agencies," he said Tuesday in an interview. "There are ethical reasons behind it. And my NGO salary doesn't stretch that far. We think this is a really, really good move in terms of protecting the privacy of Americans."
That said, the policy would be exclusive to the executive branch. The courts and Congress have no set rule on website encryption. And in a world where there is no such thing as nonsensitive data, the absence of HTTPS could infringe on citizens’ privacy and compromise trust in government websites.
"If you're a constituent and you are looking up your member's position on a sensitive issue like gun control or abortion or religion in schools, anyone watching the network -- which could mean your employer, your university, your Internet provider -- they could learn what political issues you are interested in,” Soghoian said. "And that is obviously extremely sensitive information that no one else has any business knowing."
Communications interceptions can violate more than just privacy. They can betray trust in online documents, videos and other content.
"You should be confident when you read a judicial opinion on the Web that you are getting the real one," Soghoian said.
CIA.gov -- a Bastion of Online Trust Since 2006
Already, some key government sites, including HealthCare.gov and the Federal Trade Commission's FTC.gov, use the secure connection. The General Services Administration's digital invention shop, 18F, recently pledged to install HTTPS on all sites it creates for agencies. CIA.gov has used HTTPS since 2006.
"There are these pockets of excellence within the federal government, but up until now the norm has been insecurity and it's really nice to see things moving in the right direction," Soghoian said.
Agencies might have to invest considerable time and money to obtain the protections.
Many major organizations, including the IRS and Apple, use “content distribution networks” to serve up their pages to users faster. Some of these networks charge agencies several thousand dollars per month to institute HTTPS, Soghoian said. Amazon's CloudFront and CloudFlare offer the technology free, but Akamai, a big federal vendor, does not, he said.
On the new site launched Tuesday, federal officials said the "tangible benefits to the American public outweigh the cost to the taxpayer.”
HTTPS hides form submissions, webpage visits, cookies and other data when it is in transit -- whether the data originates from the user or the site.
However, it cannot completely cover one's footsteps online. Interlopers can learn a user is visiting certain website extensions, if not the exact webpages. Other visible metadata can allow intruders to extrapolate what an Internet user is up to, such as the time spent on a site or the size of a requested transfer.
And HTTPS isn’t impervious to fraud. Hackers can forge digital "certificates," which are used to tell Web browsers a connection is secure. By inserting a stolen or phony certificate, an attacker can drop into the middle of the virtual conversation and toy with communications, an experience suffered by Google and Yahoo, among others.
On Tuesday, Ars Technica reported that Microsoft right now is rushing to suppress fallout from a certificate forgery. A fake HTTPS certificate was issued for one of the firm’s Windows Live websites, live.fi or www.live.fi, so attackers might be able to launch man-in-the-middle attacks, according to Ars.
Unlike other areas of cybersecurity, this is not a case of the federal government leading by example -- yet. The HTTP format "leaves Americans vulnerable to known threats, and reduces their confidence in their government," federal officials said. "The proposed HTTPS-only standard will provide the public with a consistent, private browsing experience and position the federal government as a leader in Internet security."
As of Tuesday afternoon, Soghoian was still taking to Twitter to urge organizations to “encrypt all the things” in the Internet of Things.
"We're getting close to tax time, and it's not good the IRS still does not use HTTPS," Soghoian said. "It's an embarrassment."
IRS officials were not immediately able to comment. White House officials did not respond to requests for comment.