Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

U.S. Pushes for HTTPS on .gov Domains

The United States is taking additional steps toward serving .gov domains over encrypted connections, and this week laid out plans to preload the entire top-level domain (TLD).

The United States is taking additional steps toward serving .gov domains over encrypted connections, and this week laid out plans to preload the entire top-level domain (TLD).

.gov is the official TLD for US-based government organizations, but many of the .gov domains have yet to adopt the secure HTTPS protocol, which protects their visitors against eavesdropping.

A concentrated effort from major Internet and tech companies out there has resulted in a wide adoption of HTTPS over the past several years.

One of the additional features adopted to further enhance the security of users was HTTP Strict Transport Security (HSTS), which ensures that browsers always enforce an HTTPS connection to a website.

The issue with HSTS is that it does not offer protection on the first connection to a website, unless the domain has been included in the HSTS preload list, which tells the browser to get HSTS enabled automatically.

On Monday, the U.S. government’s DotGov Program, which operates the .gov TLD, announced intent to preload the .gov TLD to ensure the security of users.

At the moment, only some government websites can be preloaded, as this requires that HTTPS is supported everywhere the domain is used, and many .gov domains still lack support for encrypted connections.

Advertisement. Scroll to continue reading.

New federal executive branch .gov domains have been preloaded since May 2017, and other newly registered .gov domains were allowed to opt into this protection starting August 2018.

“We believe the security benefits that come from preloading are meaningful and necessary to continue meeting the public’s expectation of safety on .gov services. We believe that government websites should always be secure,” DotGov says.

For the moment, however, only intent to preload the .gov TLD was announced, but DotGov says that it “could preload .gov within a few years.”

“Actually preloading is a simple step, but getting there will require concerted effort among the federal, state, local and tribal government organizations that use a common resource, but don’t often work together in this area,” DotGov explains.

In the meantime, the plan is to get all .gov domains ready for the switch, which involves raising awareness on the matter and providing agencies with the option to give feedback on the challenges they meet.

Starting September 1, 2020, all new .gov domains will be automatically preloaded, which would allow DotGov and the involved parties to focus on implementing encryption for existing domains.

Related: Google Expands HSTS Preload List

Related: Apple Addresses HSTS User Tracking in WebKit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.

Register

Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...