Application Security

6/9/2015
03:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

White House Calls For Encryption By Default On Federal Websites By Late 2016

Just 31% of federal agencies today host HTTPS websites and the Office of Management and Budget (OMB) has now given the rest of the government a deadline for doing so.

In yet another step toward making Internet encryption the new normal, the White House has instituted a new policy requiring all federal agencies to use HTTPS for their public-facing websites by the end of next year.

To date, only 31% of federal agencies run encrypted, HTTPS websites, including whitehouse.gov, cia.gov, nsa.gov, and omb.gov. Interestingly, dhs.gov and fbi.gov are among the agency websites that are not HTTPS-enabled as yet, according to a federal website that tracks and grades HTTPS adoption among agencies.

The OMB first recommended the HTTPS-only policy in draft form in March, and this week's announcement solidifies the plan with guidance and a December 31, 2016, deadline for adopting encrypted website communications via the standard.

Tony Scott, the administration's federal chief information officer, said in the new policy memorandum that all publicly accessible federal government websites and web services must deploy secure connections between the client and website via HTTPS, the Hypertext Transfer Protocol Secure.

"Private and secure connections are becoming the Internet's baseline, as expressed by the policies of the Internet's standards bodies, popular web browsers, and the Internet community of practice. The Federal government must adapt to this changing landscape, and benefits by beginning the conversion now. Proactive investment at the Federal level will support faster internet-wide adoption and promote better privacy standards for the entire browsing public," Scott said in the announcement.

"Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position the Federal Government as a leader in Internet security," he said.

The US government's encrypted website policy comes on the heels of a wave of SSL/TLS-related moves in the industry, including major websites including Facebook, Twitter, and LinkedIn, going encrypted in an age of privacy and security concerns. Google is even giving HTTPS sites a ranking boost. The Internet Activities Board (IAB) -- which oversees the Internet's architecture, protocols, and standards efforts, last November officially called for encryption to be instituted throughout the protocol stack as a way to secure information exchange, and provide privacy.

IAB chairman Russ Housley also urged developers to deploy encryption by default, and for network and service providers to add it as well to their offerings.

"Web security is in a dismal state," says Jeremiah Grossman, co-founder of WhiteHat Security. "This is a step in the right direction" for the feds, he says.

The catch, however, is just how such a massive number of agencies with large numbers of web pages and sites will manage their SSL/TLS certificates. It's unclear whether the feds will serve as their own certificate authority or not -- that information was not included in the policy. Efforts to reach the OMB prior to press time about the CA were unsuccessful.

"They're going to have a crypto challenge. How are they going to do key management, agency by agency? They're going to run into logistics issues, having expiring SSL keys," for example, Grossman says.

Grossman says despite the inherent challenges of getting HTTPS everywhere in the government, the new policy is a "win for everybody."

[Internet Architecture Board chairman Russ Housley explains what the IAB's game-changing statement about encryption means for the future of the Net. Read Q&A: Internet Encryption As The New Normal.]

The White House encryption policy also comes amid the backdrop of a bitter battle between the FBI and the White House with members of the technology community over backdoors to encryption for helping law enforcement fight crime and terror. Members of the Information Technology Industry Council and the Software and Information Industry Association today penned a letter to President Obama in protest of any policies that would allow for such backdoors.

No Fix For Hacks

HTTPS does not, of course, prevent website hacks or other security events -- a caveat Scott included in the OMB policy document.

"HTTPS-only guarantees the integrity of the connection between two systems, not the systems themselves. It is not designed to protect a web server from being hacked or compromised, or to prevent the web service from exposing user information during its normal operation," he said. "Similarly, if a user's system is compromised by an attacker, that system can be altered so that its future HTTPS connections are under the attacker's control. The guarantees of HTTPS may also be weakened or eliminated by compromised or malicious certificate authorities."

The administration's guidelines for HTTPS deployment calls for all new federal agency websites and services to be HTTPS from the get-go. It recommends HTTPS for intranets as well, but isn't requiring it.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
6/9/2015 | 6:38:04 PM
Apple...
in its iOS 9 dev documentation calls for HTTPS as the default. Security is improving, if slowly.
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
How to Engage Your Cyber Enemies
Guy Nizan, CEO at Intsights Cyber Intelligence,  12/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20228
PUBLISHED: 2018-12-19
Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with resultant SSRF.
CVE-2018-20230
PUBLISHED: 2018-12-19
An issue was discovered in PSPP 1.2.0. There is a heap-based buffer overflow at the function read_bytes_internal in utilities/pspp-dump-sav.c, which allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
CVE-2018-20231
PUBLISHED: 2018-12-19
Cross Site Request Forgery (CSRF) in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfa_enable_tfa parameter due to missing nonce validation.
CVE-2018-20227
PUBLISHED: 2018-12-19
RDF4J 2.4.2 allows Directory Traversal via ../ in an entry in a ZIP archive.
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...