In a previous post, I detailed a quite problematic encryption proposal by NSA Director Rogers. In this post, let me follow with positive news: good – and truly groundbreaking – encryption work by the US government. The US Federal CIO recently requested comments on their own encryption plans, via https://https.cio.gov. The plan, simply stated, would require all federal government websites to go “HTTPS-Only” within two years. HTTPS is the form of encryption that keeps you safe on the web; when you visit your bank you may notice that there is a little lock icon in the web address bar and that the URL begins with “https://” (the “s” is for “secure”). The problem with unencrypted web sites – that start with “http://” – is twofold: anyone that happens to have access to the communication can directly eavesdrop on the communication and they could change the content without the ends of the communication being able to tell. This last part is critical: the information loaded into your web browser when you visit a website is not just text, images, and videos, but software too. If someone is able to modify the contents of a web communication in transit, they can substitute good software with malicious software, called “malware,” that can wreak havoc on your devices and the information they contain.
The HTTPS-Only proposal from the US CIO is very welcome and well done. Government services can be very sensitive and it’s crucial that communications with government websites be confidential and protected from alteration. Working as part of the Privacy and Security Program of the Internet Engineering Task Force’s (IETF) Internet Architecture Board (IAB), I drafted technical comments on the HTTPS-Only proposal for the IAB. The IAB found the HTTPS-Only standard to be technically sound and very well done, with some small changes suggested around the edges. Speaking for myself, I hope the CIO acts quickly to get the two-year clock started so the work of encrypting the US federal web can begin.
Both the major standards bodies for the internet and web – the IETF and the World Wide Web Consortium (W3C) – have issued statements arguing that encryption should be the norm for internet and web communications going forward. The US Government’s HTTPS-Only standard is a critical and natural part of those efforts; government services are the infrastructure that much of our society runs on top of, and they should be robustly secure by default.