US to Encrypt All Government Websites

John Lister's picture

All US government websites accessible by the public must use secure connections by then end of next year. The new rules should protect the public, particularly "whistleblowers."

New rules laid down this week mandate the change for all public sites that are wholly or partly maintained by the federal government. This applies even if the site is operated by a contractor. The rules apply whether or not the site requires a user to log-in. (Source: cio.gov)

Under the rules, sites must use the most secure protection that is widely available. The initial implementation of the rule designates that as being the HTTPS system. Many sites that deal in confidential or sensitive data, such as online banks, already use HTTPS. It's also widely used by social networks. While some federal government websites already use it, it's by no means widespread on such sites.

HTTPS Brings Double Protection

An HTTPS connection can be identified in a couple of ways. Firstly, the page address (URL) will begin https:// rather than the more common http://. Secondly, most popular web browsers will have an icon, usually a padlock, that appears only when a secure page is displayed.

HTTPS incorporates two main security measures. The first is to check a security certificate held by the website operator, which confirms that the site really does come from the advertised source. This helps crack down on "man in the middle" attacks in which a criminal is able to intercept communication between a user and a website by effectively rerouting the data while posing as the website operator.

Encryption Could Boost Whistle-Blowing

The second measure is to encrypt the data as it passes back and forth. This covers both the content of the website and any information the user supplies. It's particularly important on dynamic websites where the content of the page is created automatically in response to information the user supplies, such as through a form. Encrypting the data means that even if a third party accesses it, they will find it difficult, if not impossible to make any sense of it.

The government believes encryption is important for sites that handle personal data such as people applying for government payments or documents. It also believes the website encryption will protect the confidentiality of anyone that reports government agency wrong-doing. (Source: pcmag.com)

What's Your Opinion?

Do you agree with the government making https mandatory on its websites? Does the measure go too far and cover pages where encryption isn't necessary? Or should the government go further and mandate https for privately run websites if they deal with sensitive data?

Rate this article: 
Average: 5 (4 votes)

Comments

infopackets.com_4228's picture

"The government believes encryption isn't important for sites that handle personal data"
Is that a typo? Should it say that they believe it IS important?

gdnealand_4736's picture

I caught that too!

Dennis Faas's picture

Thanks - it's been noted and corrected.