The US government should be at the forefront of cybersecurity
The Department of Homeland Security set a February deadline for all civilian federal government websites to migrate to HTTPS. Now, over eight months past that deadline, 24% of those sites are still being served via HTTP according to NextGov.
Granted, that’s still progress – only 54% of those civilian federal websites had encrypted by the February deadline. Before the DHS’ October 2017 mandate (the one with the February deadline) only 35% of government websites were compliant with the HTTPS order.
Defense department agencies, which aren’t under the direction of the DHS, have also stated their intentions to become HTTPS compliant by year’s end, according to a July letter sent to Oregon Senator – and one of the few cybersecurity-literate people in the US congress – Ron Wyden.
While it’s good to see progress is being made, this is also indicative of a larger issue facing the US government—a lack of good cybersecurity preparation. And while there are conversations to be had about US strategy on state-backed cyber attackers, election security and that time FitBit data outed the location of a US black site – HTTPS migration is low-hanging fruit. This should have been accomplished back in 2015 when the Obama administration first ordered it.
So, what is the DHS’ HTTPS mandate, why is it important and what does it say that this has taken so long?
Let’s hash it out…
Let’s talk about HTTP
2018 has been the year of HTTPS. Back in July Google more or less made HTTPS migration mandatory when it started warning users about insecure HTTP connections. Since then, millions of websites have installed SSL certificates and migrated to HTTPS likely more to avoid the browser warnings than anything. So let’s talk about why HTTPS and encryption are so important.
As you are likely aware, the internet was never designed to be secure. For the vast majority of its existence we’ve used HTTP, or the Hypertext Transfer Protocol. Without straying too far into the weeds, think of hypertext as plaintext that can include hyperlinks to other plaintext that the reader can immediately access. You can see how this would be a useful protocol for websites. HTTP was created around 1989, and at that point it was perfect because the internet’s purpose was a lot different.
Back then, commercial activity was illegal on the internet, it was designed so that military institutions and academia, primarily colleges and universities, could exchange information. While the military was concerned with securing data, the primary function of the internet was the free exchange of information among academia. It was open by design.
Obviously, that’s no longer the case. The internet was commercialized. More and people began to access it. Nowadays, the majority of the planet carries with it a device that can access the internet anytime, from anywhere. Because the entire scope of the internet changed, the protocol that had acted as its backbone for so long needed to be updated.
Having servers and clients communicate in the open, where the connections are not private, was fine in the context of academia and information sharing. It’s not ideal when you’re dealing with financial transactions, healthcare issues or many of the government and civilian services that are available on the web though.
You may have no problem freely sharing an old term paper or that crappy poetry you wrote during that one workshop back in college with the entire internet, but you’d probably be a little less motivated to share your payment card information or medical history.
Now let’s talk about HTTPS
HTTPS is an extension of HTTP designed for secure communication on a network. The protocol is encrypted using TLS or Transport Layer Security. TLS is the successor to Secure Sockets Layer or SSL. Today we are on version 1.3 of TLS and SSL has been entirely deprecated, but we still refer to it colloquially as SSL.
SSL/TLS can refer to two things, it can refer to the encryption protocol itself, or it can refer to the digital certificates that help facilitate it. I’m not going to go in-depth on how SSL/TLS works, but I will cover the key concepts really quickly.
In order to correctly migrate a website to HTTPS, you need an SSL/TLS certificate. Reduced to its simplest form, the SSL/TLS certificate helps to validate that the associated public key belongs to the server listed on the certificate. Once the SSL/TLS certificate is installed, the website can be migrated to HTTPS.
When we say migrate to HTTPS, we mean re-writing all of the URLs so that the protocol at the beginning is https:// instead of http://. Best practice is to use 301 re-directs and then set up HTTP Strict Transport Security (HSTS) to force secure connections.
Now when a client attempts to visit your website, the server will present the SSL certificate, which the client will use to authenticate the server and verify it is the rightful owner of the public key being presented. Once this is accomplished, the client and server will agree on a mutually supported cipher suite, the client will generate a pair of session keys, encrypt one with the server’s public key and send it to the server where it can be decrypted with the associated private key and used for secure communication.
That’s the abridged version. When a website is served via HTTPS, all of the connections it makes with its visitors are secure. Secure meaning encrypted. Any information passed between the client and server is no longer being freely shared with the rest of the internet but is instead being exchanged in ciphertext, unreadable to all but the intended party with the correct key.
You can see how this would be especially critical in the context of a government website, where openly broadcasting data can be problematic.
What is the DHS’s HTTPS Mandate?
The Department of Homeland Security is requesting a little bit more than just HTTPS migration, it wants these websites to observe best practices for SSL/TLS and HTTPS implementation. So in addition to procuring an SSL/TLS certificate and rewriting URLs, the DHS wants:
We’ve actually got dedicated articles on both HSTS and Cipher suites, which I suggest checking out if you want to go a little more in-depth. HTTP Strict Transport Security can be kind of a confusing name considering that people are being taught HTTP is bad, but the name belies the function in this case. HSTS forces a browser to make secure HTTPS connections with a website. When you rewrite your URLs and migrate to HTTPS, you’re essentially creating new pages—a whole new website, even. You’re using 301 redirects to tell search engines and browsers to index the HTTPS version, but the HTTP version still exists and there are certain ways that attackers can exploit that.
HSTS is a header that, once downloaded forces the browser to only make secure connections with the associated site. Traditionally, the header is downloaded on the client’s first visit and remembered by the browser, but that still leaves a tiny attack vector that can be exploited. That’s why best practice is to submit your website to the HSTS preload list after you add the header. The next time an update to the list is pushed out, browsers will know to force an HTTPS connection on your site even if they’ve never visited it. This eliminates the small attack window that occurs upon first arrival.
Now let’s talk about cipher suites really quickly. A cipher suite is a collection algorithms and ciphers that are used in conjunction to facilitate SSL/TLS. TLS 1.3 has refined the cipher suites used, but traditionally a cipher suite has included an algorithm or cipher for key generation, signature hashing, symmetric encryption and asymmetric encryption.
Unfortunately, over time some algorithms are found to be vulnerable to certain attacks, keys lose their hardness as computer technology continues to advance – sometimes support for older cipher suites needs to be deprecated.
For instance, a few years ago the SHA-1 hashing algorithm was found vulnerable and the industry mandated a move to SHA-2.
RELATED: Google creates SHA-1 collision
Continuing to support vulnerable or outmoded cipher suites opens a website up to potential risks and exploits, so the DHS wants to ensure that not only are these websites available via HTTPS, but that they’re actively forcing secure connections and only with adequately robust cipher suites.
“Throughout the year, the DHS team has been accelerating progress, conducting hundreds of agency exchange meetings and establishing a collaborative, public-facing website to support this cross-government effort and further advance federal website and data integrity,” Homeland Security Spokesman Scott McConnell said in an email.
Agencies are required to check in with the DHS every 30 days to provide updates on their progress towards HTTPS compliance.
This isn’t the only mandate, either. As we covered earlier this week, 1/3 of federal email servers missed the deadline for adding DMARC on Tuesday.
What does this say about the US Government’s Cybersecurity Priorities?
Nothing good. Clearly, with a few exceptions such as Senator Wyden, most of the government either doesn’t understand the stakes or isn’t interested in doing anything. Neither of those options are encouraging.
A big part of the problem is a lack of knowledge and understanding when it comes to these topics. A lot of the members of congress, as well as in the US judiciary and the executive branch are not tech savvy. And that’s understandable on some level, they didn’t come up with this technology. They are not digital natives. You can get a sense of just how little a lot of these officials know when they parade the tech industry into hearings and ask questions like, how does Facebook make money? The president famously doesn’t trust email. And not just in the US, but across the world, it seems like nobody working in a government capacity understands encryption.
But then there’s also a bit of willful ignorance from part of the government apparatus. It’s no secret that the last US election was tampered with. To what extent is still being debated. Some people think that foreign actors got as far as changing votes, others believe the involvement was negligible. But what that’s evolved into is a microcosm of the tribalism that currently defines American politics. For a portion of the electorate, delving too deeply into the interference that occurred during the past election potentially means undermining the legitimacy of the current president’s election win. And actively working to prevent future interference acts almost as a de facto admission that something serious occurred in 2016.
So politically, it’s more advantageous for some to stick their head in the sand and pretend they haven’t seen anything. If Congress and the executive branch wanted to apply pressure and push for this change, and myriad other improvements to our national cybersecurity preparedness—they could.
They just don’t seem all that interested.
And that’s how you end up with a situation where the rest of the internet is ahead of the US government in terms of HTTPS adoption.
That’s not exactly leading from the front.
As always, leave any comments or questions below…