This month, we spoke with Eric Mill, Senior Advisor, GSA Technology Transformation Service, and Marina Fox, the .Gov Domain Services Manager. We spoke to them about their efforts driving HTTPS adoption within federal domains to inform state CIOs about how they could do the same.
Internal NASCIO data suggest that many (roughly 80 percent) state government websites have already adopted HTTPS; remaining states are encouraged to promote HTTPS adoption by borrowing from the lessons and tools of our federal government partners.
Q: What is your role? What do you do at GSA?
Marina Fox is the .Gov Domain Services Manager, responsible for leading the .Gov domain registration and renewal team at OGP/GSA, as well as products such as Pulse (pulse.cio.gov).
Eric Mill is a Senior Advisor with GSA’s Technology Transformation Service (which includes 18F). One focus area for Eric has been furthering the use of secure connections to the federal government. As part of that work, Eric helped develop the Pulse dashboard, and works closely with GSA and DHS offices to make HTTPS the default for federal web services.
Q: How is GSA encouraging adoption of HTTPS?
GSA helps encourage HTTPS adoption in several ways.
We publish guidance for the HTTPS mandate at https.cio.gov, which provides resources and support for agencies that are meeting this policy by implementing HTTPS and HTTP Strict Transport Security (HSTS).
Additionally, we publish the Pulse (pulse.cio.gov) dashboard, which automatically scans .gov websites for compliance with the HTTPS policy and publicly lists ongoing results. This effort provides visibility into the growth of HTTPS in the federal government.
As part of these efforts, we also publish and contribute to open source tools that support effective HTTPS and HSTS monitoring. For example, GSA is a major contributor to DHS’ open source “pshtt” HTTPS-scanning tool, and publishes its own “domain-scan” tool that can be used in combination with “pshtt” to support large-scale scans of web domains. In addition, Pulse itself is open source and its code has been reused by a number of organizations and individuals around the world to support effective HTTPS monitoring in other countries and sectors.
Q: Why is this important?
It’s difficult to overstate how fundamentally important HTTPS is to communication on the modern web. The “S” in HTTPS stands for “Security” -- without HTTPS, as a user you have basically no guarantees about what happens to you as you’re using the web.
Without HTTPS, your communications can be modified or monitored by anyone or anything “between” you and the website you’re visiting. The attacker could be someone at the coffee shop whose WiFi you’re using (or the coffee shop itself!), or it could be someone who’s hacked some old out-of-date load balancer your traffic is flowing through on its way around the internet.
The internet’s fundamental design means that both you and the website owner really have very little control over where your communication will travel and whose devices will carry it. In order to communicate securely under those circumstances, the traffic has to be encrypted all the way from your devices to the website owner’s devices -- and that’s exactly what HTTPS does. Without HTTPS, hostile networks can inject malware, tracking beacons, or otherwise monitor or change your interactions online
Q: What is preloading?
Today, web browsers allow websites to be “preloaded” as HTTPS-only. It’s a simple idea, and it means that web browsers will always use HTTPS to connect with those websites.
For example, “cio.gov” has been preloaded into all major web browsers. So, if you type “cio.gov” into your browser and hit Enter, your browser knows to connect to https://cio.gov instead of http://cio.gov, even though you didn’t tell it to specifically. The same thing happens if you go to a subdomain of cio.gov, like pulse.cio.gov. It will also work even if you click a link to “http://cio.gov” - your browser will automatically go to https://cio.gov instead.
By preloading “cio.gov”, the GSA has ensured that browsers will always make HTTPS connections to all of its websites, essentially forever.
Q: What happens in May?
To date, there are currently over 150 preloaded .gov domains, including hhs.gov, cloud.gov, usajobs.gov, and others. Each of these domains has been preloaded directly by the agency that registered each domain.
Starting on May 17, 2017, as the owner of the .gov domain itself, GSA will begin automatically submitting newly registered .gov domains to be preloaded, when those .gov domains are registered by the federal government’s executive branch.
This will cause modern web browsers to automatically start enforcing HTTPS connections to any websites hosted on those domains or their subdomains. Agencies will still need to obtain HTTPS certificates and configure their servers to support secure communications. If HTTPS is not supported on a website on a new domain after this time, web browsers will fail to connect to the website. By doing this, GSA is ensuring that, going forward, HTTPS will be consistently used for new executive branch services.
To be clear, this will only affect new domains that have never existed before (not renewals), and will only affect federal agencies in the executive branch. Since this practice will only affect new services, and agencies will be fully aware of the need for HTTPS before launching new websites, GSA does not expect any service disruption as a result.
Through GSA’s action, the .gov top-level domain will be the first original top-level domain on the internet to initiate a practice of automatic preloading for even a portion of its domain names.
Q: Are there other things GSA would like to mention?
The .gov domain currently has around 5,600 registered domain names. Only around 1,300 of those belong to the federal government’s three branches. The remaining 4,300 .gov domain names belong to states, localities, and native tribes.
Because the federal government made HTTPS a policy mandate, HTTPS usage in the federal government has grown rapidly, to the point that the U.S. government now outpaces the private sector on HTTPS adoption. The use of HTTPS in state, local, and tribal governments has not seen the same level of growth.
Preloading federal government executive branch domain names is a significant step in improving federal cyber security footprint. As the effort moves forward, GSA encourages all .gov domain owners from federal, state and local governments to employ HTTPS by default and work towards preloading their domains as HTTPS-only in modern web browsers.