U.S. federal CIO Tony Scott on Monday sent a memo to the heads of executive departments and agencies requiring that all publicly accessible federal websites and Web services use HTTPS — “the strongest privacy and integrity protection currently available for public Web connections.”
Some federal websites currently use HTTPS, but there has not been a consistent policy across the federal government to do so, Scott pointed out.
Websites and services available over HTTPS must enable HTTP Strict Transport Security.
Newly developed websites and services at all federal agency domains or subdomains must adhere to the HTTPS policy upon launch, and existing websites and services must implement HTTPS by Dec. 31, 2016.
“It is very positive news that the government is going to ensure that the authenticity, not just the privacy, of federal websites is secured by requiring HTTPS for all websites,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“However, the HTTPS needs to be secured,” he told TechNewsWorld.
Federal agencies must inspect inbound traffic for threats, and must scan HTTPS websites constantly, Bocek recommended.
HTTPS doesn’t encrypt IP addresses and destination domain names during communication, and even encrypted traffic can reveal some information indirectly, such as the amount of time spent on a site, or the size of requested resources or submitted information, Scott acknowledged.
The protocol only guarantees the integrity of the connection between two systems — not the systems themselves.
HTTPS isn’t designed to protect a Web server from being hacked or compromised, or to prevent a Web service from exposing user information during normal operations, Scott noted. Further, hackers can take control of the HTTPS connections of systems they have broken into, and compromised or malicious certificate authorities can weaken or eliminate the protection of HTTPS.
Websites served over HTTPS must ensure that all external resources, such as images, scripts, fonts and iframes, are loaded over a secure connection, Scott said.
Federal websites and services should deploy HTTPS in a manner that allows for rapid updates to certificates, cipher choices, protocol versions and other configuration elements.
Agencies should monitor the government CIO website and other public resources to stay abreast of current best practices, Scott advised.
A public dashboard has been set up to monitor agency compliance.
The Dismal State of US Government Security
U.S. federal sites are poorly protected.
Hackers hit the U.S. Office of Personnel Management in December compromising the data of about 4 million current and former federal employees. It was the second major breach there in less than a year.
Russian hackers last year compromised email systems at the White House and State Department.
The U.S. Army’s website on Monday went dark, and the Syrian Electronic Army claimed credit for taking it down.
In many cases, U.S. federal sites haven’t follow recommendations made following security audits.
For example, the Internal Revenue Service, which was hit last month by a hack that stole data from at least 100,000 taxpayers’ accounts, had implemented corrections for only 24 of 69 previously reported security weaknesses, a Government Accountability Office audit warned in March.
Potential Stumbling Blocks
Maintenance and upkeep are crucial, because “this is where hacks happen,” said Secure Channels CEO Richard Blech.
Since HTTPS is only point-to-point, the security “is only as strong as the user or server it originates from,” he told TechNewsWorld, and data still can be taken off the receiving device.
It “means a lot of work for IT to get [certificates] done and keep them current,” said Robert Neivert, COO of Private.me.
Implementing HTTPS “takes a lot more resources” because information must be encrypted and decrypted, he told TechNewsWorld.
HTTPS “will probably not solve most [of the problems],” observed Shawn Masters, VP of solutions engineering at Novetta.
“Many of the breaches were through other means,” he told TechNewsWorld.
“The systems will need to be hardened also,” Masters said, noting further that it is “not uncommon” for HTTPS to be poorly or incorrectly implemented.