Every .gov website, no matter how small, should give its visitors a secure, private connection. Plain HTTP (http://) connections are neither secure nor private, and can be easily intercepted and impersonated. In today’s web browsers, the best and easiest way to fix that is to use HTTPS (https://). Now, a number of government websites have taken a step further and are becoming the first .gov domains hardcoded into major web browsers as HTTPS- only. This means that these .gov domains are taking the extra step of verifying that all their subdomains use HTTPS.
Recently, notalone.gov, a website launched by the White House Task Force to Protect Students from Sexual Assault, was hardcoded into major web browsers as HTTPS-only. Now, This means that when visitors type “notalone.gov” or click a link to http://notalone.gov, the browser will go directly to https://notalone.gov without ever attempting to connect over plain HTTP. This prevents anyone from getting a chance to intercept or maliciously redirect the connection, and avoids exposing URLs, metadata, and cookies that would otherwise have remained private.
18F worked with a number of government teams to help submit 19 .gov domains to be hardcoded as HTTPS-only. These .gov domains include:
- The Federal Trade Commission prepared the Do Not Call Registry, as well as their consumer complaint system and a merger filing system, by submitting donotcall.gov, ftccomplaintassistant.gov, andhsr.gov.
- The Inspector General for the U.S. Postal Service submitted uspsoig.gov (which includes various sensitive complaint forms) after moving entirely to HTTPS.
- The AIDS.gov team submitted their domain after moving the main website and each subdomain over to HTTPS.
- The Administrative Conference of the U.S. submitted acus.gov after moving to HTTPS while relaunching their website.
- At the state level, the District of Columbia legislature submitted dccode.gov as part of its launch.
- The Federal Register submitted federalregister.gov, a fully HTTPS-enabled website since 2011.
- 18F chipped in and submitted notalone.gov, which used HTTPS from the start.
- The OMB MAX team worked with the White House and the General Services Administration to prepare the website for the Federal CIO Council and a number of other websites and redirect domains: cio.gov,cao.gov, cfo.gov, max.gov, itdashboard.gov, paymentaccuracy.gov, earmarks.gov, bfelob.gov, save.gov,saveaward.gov.
To be clear: the above domains are not the only .gov domains that use HTTPS. Many others do. The above domains have taken the extra step of verifying that all their subdomains use HTTPS, and are comfortable telling browsers to just assume this going forward. This will take effect in Chrome, Firefox, and Safari over the course of 2015.
To read more about why HTTPS is important, how to reliably force HTTPS, and how to submit your own domain to browsers, read the full post here.