In light of recent incidents that exposed gaping security holes in U.S. government agency systems, President Barrack Obama issued a memorandum dated June 8 mandating the strict use of secure connection protocols among “all publicly accessible Federal websites and web services” by using Hypertext Transfer Protocol Secure, or HTTPS.
The order, penned by Federal Chief Information Officer Tony Scott and directed to heads of executive departments and agencies, talked in detail about how turning to HTTPS and denouncing HTTP would alleviate the alarming state of government agencies’ systems security and ensure a steadier shield against possible intrusion from outside forces.
Last week, we reported on an ongoing investigation involving a massive breach that targeted the US Office of Personnel Management (OPM), the human resources department of the federal government. The attack uncovered personal information of around four million current and former federal employees housed in the OPM systems.
The proposed HTTPS-Only Standard explains the value of the added layer of security afforded by HTTPS. By definition, HTTPS is a combination of HTTP and Transport Layer Security or TLS—a network protocol that forms an encrypted connection to ensure privacy between communications made between applications and Internet users. Known as the descendant of Secure Sockets Layer (SSL), TSL prevents third parties from snooping in or altering any message exchanged.
Before a user connects to a website or any given web service, HTTPS verifies its identity to ensure security then encrypts all information exchanged between the user and said site. This protection covers all bases from “cookies, user agent details, URL paths, form submissions, and query string parameters”. These are safety measures that are unavailable in unencrypted HTTP protocols, therefore rendering users vulnerable to interception and network intrusion.
Scott’s proposal received its share of support and criticism. NASA webserver and database administrator Joe Hourcie called it a mere “top-down solution” without clear understanding of what steps need to be undertaken to cement network security. On the other hand, the American Civil Liberties Union regarded the policy as a “great first step” before going into suggesting more encryption best practices. Scott emphasized that “the American people expect government websites to be secure and their interactions with those websites to be private.”
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).