Cybersecurity

All federal websites to support encrypted browsing

By the end of next year, all federal websites will only provide service through an encrypted connection, the White House said in a Monday blog post.

The move is an effort to protect the identity of users connecting to government sites, as well as website content, search terms entered on sites and other types of user-submitted information.

{mosads}Many major online services, such as Facebook and Google, have already transitioned to what’s known as HTTPS-only. Most websites use the unencrypted HTTP protocol to communicate data.

The government is split. While the White House website uses HTTPS, the Justice Department sites do not.

“Unencrypted HTTP connections create a vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services,” said Tony Scott, the government’s chief information officer.

HTTPS, or HTTP secure, locks down that information. Digital rights advocates have long argued the entire Internet should move toward HTTPS browsing.

The Office of Management and Budget first suggested moving to a HTTP-only standard in March.

The goal is to “eliminate inconsistent, subjective decision-making regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide,” Scott said.

But he cautioned that HTTPS has its limitations.

For instance, it will not help the government thwart the type of hackers that have repeatedly infiltrated agencies from the U.S. weather system to the White House to the Office of Personnel Management, which recently had 4 million workers’ records stolen by suspected Chinese hackers.

“HTTPS only guarantees the integrity of the connection between two systems, not the systems themselves,” Scott said. “It is not designed to protect a web server from being hacked or compromised, or to prevent the web service from exposing user information during its normal operation.”