Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

U.S. Pushes for HTTPS on .gov Domains

The United States is taking additional steps toward serving .gov domains over encrypted connections, and this week laid out plans to preload the entire top-level domain (TLD).

The United States is taking additional steps toward serving .gov domains over encrypted connections, and this week laid out plans to preload the entire top-level domain (TLD).

.gov is the official TLD for US-based government organizations, but many of the .gov domains have yet to adopt the secure HTTPS protocol, which protects their visitors against eavesdropping.

A concentrated effort from major Internet and tech companies out there has resulted in a wide adoption of HTTPS over the past several years.

One of the additional features adopted to further enhance the security of users was HTTP Strict Transport Security (HSTS), which ensures that browsers always enforce an HTTPS connection to a website.

The issue with HSTS is that it does not offer protection on the first connection to a website, unless the domain has been included in the HSTS preload list, which tells the browser to get HSTS enabled automatically.

On Monday, the U.S. government’s DotGov Program, which operates the .gov TLD, announced intent to preload the .gov TLD to ensure the security of users.

At the moment, only some government websites can be preloaded, as this requires that HTTPS is supported everywhere the domain is used, and many .gov domains still lack support for encrypted connections.

New federal executive branch .gov domains have been preloaded since May 2017, and other newly registered .gov domains were allowed to opt into this protection starting August 2018.

Advertisement. Scroll to continue reading.

“We believe the security benefits that come from preloading are meaningful and necessary to continue meeting the public’s expectation of safety on .gov services. We believe that government websites should always be secure,” DotGov says.

For the moment, however, only intent to preload the .gov TLD was announced, but DotGov says that it “could preload .gov within a few years.”

“Actually preloading is a simple step, but getting there will require concerted effort among the federal, state, local and tribal government organizations that use a common resource, but don’t often work together in this area,” DotGov explains.

In the meantime, the plan is to get all .gov domains ready for the switch, which involves raising awareness on the matter and providing agencies with the option to give feedback on the challenges they meet.

Starting September 1, 2020, all new .gov domains will be automatically preloaded, which would allow DotGov and the involved parties to focus on implementing encryption for existing domains.

Related: Google Expands HSTS Preload List

Related: Apple Addresses HSTS User Tracking in WebKit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.