Security Experts:

U.S. Pushes for HTTPS on .gov Domains

The United States is taking additional steps toward serving .gov domains over encrypted connections, and this week laid out plans to preload the entire top-level domain (TLD).

.gov is the official TLD for US-based government organizations, but many of the .gov domains have yet to adopt the secure HTTPS protocol, which protects their visitors against eavesdropping.

A concentrated effort from major Internet and tech companies out there has resulted in a wide adoption of HTTPS over the past several years.

One of the additional features adopted to further enhance the security of users was HTTP Strict Transport Security (HSTS), which ensures that browsers always enforce an HTTPS connection to a website.

The issue with HSTS is that it does not offer protection on the first connection to a website, unless the domain has been included in the HSTS preload list, which tells the browser to get HSTS enabled automatically.

On Monday, the U.S. government's DotGov Program, which operates the .gov TLD, announced intent to preload the .gov TLD to ensure the security of users.

At the moment, only some government websites can be preloaded, as this requires that HTTPS is supported everywhere the domain is used, and many .gov domains still lack support for encrypted connections.

New federal executive branch .gov domains have been preloaded since May 2017, and other newly registered .gov domains were allowed to opt into this protection starting August 2018.

“We believe the security benefits that come from preloading are meaningful and necessary to continue meeting the public’s expectation of safety on .gov services. We believe that government websites should always be secure,” DotGov says.

For the moment, however, only intent to preload the .gov TLD was announced, but DotGov says that it “could preload .gov within a few years.”

“Actually preloading is a simple step, but getting there will require concerted effort among the federal, state, local and tribal government organizations that use a common resource, but don’t often work together in this area,” DotGov explains.

In the meantime, the plan is to get all .gov domains ready for the switch, which involves raising awareness on the matter and providing agencies with the option to give feedback on the challenges they meet.

Starting September 1, 2020, all new .gov domains will be automatically preloaded, which would allow DotGov and the involved parties to focus on implementing encryption for existing domains.

Related: Google Expands HSTS Preload List

Related: Apple Addresses HSTS User Tracking in WebKit

view counter