Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

U.S. Pushes for HTTPS on .gov Domains

The United States is taking additional steps toward serving .gov domains over encrypted connections, and this week laid out plans to preload the entire top-level domain (TLD).

The United States is taking additional steps toward serving .gov domains over encrypted connections, and this week laid out plans to preload the entire top-level domain (TLD).

.gov is the official TLD for US-based government organizations, but many of the .gov domains have yet to adopt the secure HTTPS protocol, which protects their visitors against eavesdropping.

A concentrated effort from major Internet and tech companies out there has resulted in a wide adoption of HTTPS over the past several years.

One of the additional features adopted to further enhance the security of users was HTTP Strict Transport Security (HSTS), which ensures that browsers always enforce an HTTPS connection to a website.

The issue with HSTS is that it does not offer protection on the first connection to a website, unless the domain has been included in the HSTS preload list, which tells the browser to get HSTS enabled automatically.

On Monday, the U.S. government’s DotGov Program, which operates the .gov TLD, announced intent to preload the .gov TLD to ensure the security of users.

At the moment, only some government websites can be preloaded, as this requires that HTTPS is supported everywhere the domain is used, and many .gov domains still lack support for encrypted connections.

New federal executive branch .gov domains have been preloaded since May 2017, and other newly registered .gov domains were allowed to opt into this protection starting August 2018.

“We believe the security benefits that come from preloading are meaningful and necessary to continue meeting the public’s expectation of safety on .gov services. We believe that government websites should always be secure,” DotGov says.

For the moment, however, only intent to preload the .gov TLD was announced, but DotGov says that it “could preload .gov within a few years.”

“Actually preloading is a simple step, but getting there will require concerted effort among the federal, state, local and tribal government organizations that use a common resource, but don’t often work together in this area,” DotGov explains.

In the meantime, the plan is to get all .gov domains ready for the switch, which involves raising awareness on the matter and providing agencies with the option to give feedback on the challenges they meet.

Starting September 1, 2020, all new .gov domains will be automatically preloaded, which would allow DotGov and the involved parties to focus on implementing encryption for existing domains.

Related: Google Expands HSTS Preload List

Related: Apple Addresses HSTS User Tracking in WebKit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.