While more and more federal websites migrate to HTTPS, state and county websites are lagging behind
We’ve watched closely as the US federal government has migrated its websites to HTTPS in accordance with a 2015 executive order. And while progress has been slower than desired, the majority of federal sites have now added SSL/TLS and are encrypting connections with their users.
However, at the state and county level, things are a bit different.
And that’s dangerous, as an event like today’s national elections can illustrate. So, in the spirit of election day, let’s talk about the US government’s use of HTTPS and why we are starting a petition to have the General Services Administration (GSA), which administers the .gov TLD, to add it to the HSTS to preload list, which will effectively mandate the use of SSL/TLS and HTTPS.
Let’s hash it out…
Let’s start with why the government needs to be using HTTPS
And it goes back to the start of the internet. As you are no doubt aware, the internet was not designed for commercial activity, it was designed for freely sharing information between academia and the government. So the hypertext transfer protocol (HTTP) was a fine choice, given that there wasn’t a ton of sensitive information exchanging hands.
That is no longer the case, commercial activity is now legal on the internet and billions of people now use it every day for a range of functions like banking, government registration and managing insurance & healthcare. This is where SSL/TLS came into play as a mechanism for encrypting HTTP connections. HTTPS is actually just an abbreviation for HTTP over TLS. Without encryption, HTTP connections transmit data in plaintext that is easily readable by third parties. With encryption that data is essentially scrambled and readable only be the intended party.
Now, tying this all together: there are few categories of websites that need to be making secure connections more than government domains. HTTPS should be the default. And in 2015, the Obama administration issued an executive order compelling all federal sites to add SSL/TLS and start making secure connections. So far progress has been slower than what is probably acceptable, with nearly a quarter of federal websites still not compliant.
One of the other things that order suggested is using an HSTS header. We don’t think that went far enough…
We need to add .gov to the HSTS preload list
The US is unique in that it has its own Government top-level domain. This is owing to the fact the US – Al Gore, specifically – invented the internet. Unfortunately, the executive order compelling .gov websites to migrate to HTTPS was only at the federal level, leaving state and county websites at the behest of whoever oversees their administration. This means that there are still plenty of .gov websites that are not secure.
Similarly, the lack of SSL protection on established county websites would make it possible for voters to be presented with false information when they are browsing to legitimate websites. This data tampering is possible through a wide range of cyber-attack techniques that SSL was designed to protect against… Taken together, the combination of the lack of .gov domain validation and SSL protection on county websites, provides bad actors a wide range of options to present false information to voters.
We think there is a quick way to force .gov websites to migrate to HTTPS: the General Services Administration needs to add the .gov TLD to the HSTS Preload List.
What is HSTS and what would adding .gov to the preload list do?
Let’s start with HSTS or HTTP Strict Transport Security. It’s a security header that tells a user’s web browser to only form secure connections with this website. This ensures that if someone does connect with the site, that connection will always be encrypted.
The HSTS Preload List takes it a step further. There is still a tiny attack vector with HSTS, the first time an internet user arrives at the website their browser has to download the header, which leaves a small opening to execute an attack.
After the header is downloaded, the browser knows only to connect via HTTPS for the duration of the header’s validity period, but that first visit still offers a small window of vulnerability.
The HSTS Preload List shuts this window. Updates to the list are pushed out with each new browser version, and each browser knows to only connect with the sites on the list via HTTPS—even if it’s never visited that site before.
There’s also another effect of adding a domain, specifically a TLD (.gov) to the list. It effectively makes HTTPS mandatory for any website under that TLD. A browser literally will not be able to connect with the website unless it has an SSL/TLS certificate installed and is configured for HTTPS. Google added 45 TLDs to the HSTS preload list last year.
Now, this is going to break some of these websites. But it’s also going to force action a lot more quickly than executive orders and gubernatorial mandates could ever hope to. The HSTS Preload list (or some form of it) is used by:
- Google Chrome
- Mozilla Firefox
- Apple Safari
- Microsoft Edge
- Microsoft Internet Explorer
According to analytics.usa.gov, that would account for at least 95% of the connections being made to these websites.
Now, granted, Election Day, or even Election Season would be a bad time to do this. But getting .gov added to the HSTS Preload List would take a bit of time anyway.
But the fact that this would break a lot of websites and force them to scramble and migrate to HTTPS is also kind of the point. The kind of business that takes place on these websites is too important not to safeguard. And this is low hanging fruit.
Sign our Petition to compel the General Services Administration to add the .gov TLD to the HSTS Preload List
We’ve started a petition at WeThePeople on WhiteHouse.gov. For one, it felt appropriate given the TLD. But, given that the GSA is an independent agency of the US government whose head administrator is appointed by the President, this also felt like the most appropriate channel.
We don’t really get partisan here and generally try to avoid politics as much as possible as a general rule. But this is an initiative that should be palatable to people on both sides of the aisle. It’s a basic security measure and adding .gov to the HSTS preload list at the TLD level would both improve security across all government websites and motivate any sites still being served via HTTP (which includes about 25% of federal sites) to finally get a jump on encrypting.
As always, leave any comments or questions below…