US CIO Orders All .Gov Websites To Require Encrypted Connections, Amazon Enters The Secure Cert Space
from the moving-forward dept
As top FBI officials are arguing that the tech industry needs to "prevent encryption," the federal government's CIO, Tony Scott, has officially announced that all federal government websites will only be available via encrypted HTTPS connections by the end of next year. As we noted, this was proposed back in March, but after an open comment period (via Github!), the policy is now official. The official memo talks about the importance of encryption:The unencrypted HTTP protocol does not protect data from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data. The majority of Federal websites use HTTP as the as primary protocol to communicate over the public internet. Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services. Data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information.And the memo doesn't mince words about websites that choose not to go to HTTPS-only:
To address these concerns, many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of Federal websites and services deserve the same protection. Private and secure connections are becoming the Internet's baseline, as expressed by the policies of the Internet's standards bodies, popular web browsers, and the Internet community of practice. The Federal government must adapt to this changing landscape, and benefits by beginning the conversion now. Proactive investment at the Federal level will support faster internet-wide adoption and promote better privacy standards for the entire browsing public.
Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and may reduce their confidence in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position the Federal Government as a leader in Internet security.It's good to see the federal government embracing this. The plan is to have all federal government websites fully HTTPS by the end of 2016.
Separately, another big step in the world of HTTPS happened quietly on Monday as well: Amazon started offering secure certificates as well, and it appears that they're looking to make it much easier and convenient. Oh, and it is not just for customers registering their domains through Amazon either.
It's good to see the internet world moving more and more to a place where all connections will be encrypted.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: certificates, cio, encryption, federal government, https, websites
Companies: amazon
Reader Comments
Subscribe: RSS
View by: Time | Thread
Refreshing honesty
Sure they may claim it's for security reasons, but given the government constantly brushes aside any similar claims when used by the public, clearly 'security' is not a valid justification, and it can only be criminal intent behind their push for widespread encryption.
[ link to this | view in chronology ]
Re: Refreshing honesty
Or...They've found their way around encryption and are now happy to endorse it.
[ link to this | view in chronology ]
Re: Re: Refreshing honesty
Seems legit.
[ link to this | view in chronology ]
Keep in mind...
"this isn't encryption, it's only HTTPS".
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
"Once we empower Americans to believe our sites are secured with https, we'll quietly enable the golden keys so which we can easily see their traffic."
There's no way in hell the US Government provides encryption to Americans without a way to break it.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
The US Government is big, and if they're going to successfully implement this mandate, they're going to need their own public root certificate authority to cost effectively sign all those new SSL Keys, and for the sake of simplicity, that root CA cert will need to be installed everywhere by default. Otherwise Grandpa is going to get a browser cert error when he goes to www.irs.gov, and we can't have that.
Of course, once a root is installed, it can be used to sign certs for any web site.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Talk about a bunch of hypocrites.
[ link to this | view in chronology ]
I'm not so sure...
[ link to this | view in chronology ]
More Encryptio
Not sure if everything needs encrypting, some expert will tell me shortly.
Once this is accomplished, maybe we could convince all the payment services or other holders of personal information to do the same.
[ link to this | view in chronology ]
Re: More Encryptio
It depends on the amount of security you want. Before anyone answers "all of it", it must be acknowledged that increased security doesn't come for free. It is paid for in terms of reduced convenience. So, "all of it" is not necessarily the right answer. It all depends.
That said, it's much better to encrypt more than is needed than to encrypt less.
[ link to this | view in chronology ]
Re: Re: More Encryptio
Of course that also means that cost of the encryption/decryption process plus good PR from being proactive must be less than the quarterly profits sent to Wall Street unless the corporation (AKA person) actually has a conscience.
Either way, us poor suckers that have our data in non encrypted form on some companies (or government's) servers are potentially screwed until some legislative body (congress) pushes the right buttons.
[ link to this | view in chronology ]
Re: Re: Re: More Encryptio
[ link to this | view in chronology ]
Re: Re: Re: Re: More Encryptio
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
encryption
the two things all of the talking heads call people who use encryption
[ link to this | view in chronology ]
Heh
[ link to this | view in chronology ]
Re: Heh
[ link to this | view in chronology ]
[ link to this | view in chronology ]
And the feds will screw this up
[ link to this | view in chronology ]
Re: And the feds will screw this up
[ link to this | view in chronology ]
Amazon
They seem to be making some progress but as can be seen here they have yet to get the right certificates installed... https://ecx.images-amazon.com/images/I/917G5gsQjgL._SL1500_.jpg
Other secure sites would also like to link to them but cannot link to insecure site.
[ link to this | view in chronology ]
[ link to this | view in chronology ]