US to enforce HTTPS for new .gov domains

The USA’s General Services Administration (GSA) will work with modern web browser developers to automatically enforce HTTPS encryption on all newly issued executive branch .gov domains.

The GSA will establish a policy in the Northern Hemisphere’s spring (March to May) to submit newly created .gov domains and their subdomains to modern web browser makers for preloading.

Using this preloading process will ensure browsers will strictly enforce HTTPS for the submitted domains, and users will not be able to click through certificate warnings. The preloading process is expected to take around three months.

Since June 2015, all new federal web services have bean required to support and enforce HTTPS connections over the public internet, and all existing services were migrated by the end of last year.

This new policy takes the HTTPS enforcement a step further. The policy has been limited to modern browsers because it will only affect clients that support HTTP Strict Transport Security (HSTS).

Announcing the change, the GSA said non-secure HTTP connections “lack integrity protection, and can be used to attack citizens, foreign nationals, and government staff. HTTPS provides increased confidentiality, authenticity, and integrity that mitigate these attacks.”

Image courtesy of Christiaan Colen under CC

Follow us on Twitter and Facebook