The HTTPS-Only Standard
The American people expect government websites to be secure and their interactions with those websites to be private. The ARB has reviewed and approved “A Policy to Require Secure Connections across State Websites and Web Services”, which provides technical guidance and best practices to assist in its implementation.
Goal
This Policy requires that all publicly accessible State websites and web services only provide service through a secure connection. The strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS).
This Policy provides guidance to agencies for making the transition to HTTPS and a deadline by which agencies must be in compliance.
Background
The unencrypted HTTP protocol does not protect data from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data. The majority of State websites use HTTP as the primary protocol to communicate over the public internet. Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted State websites and services. Data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information.
To address these concerns, many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of State websites and services deserve the same protection. Private and secure connections are becoming the Internet’s baseline, as expressed by the policies of the Internet’s standards bodies, popular web browsers, and the Internet community of practice. State government must adapt to this changing landscape, and benefits by beginning the conversion now. Proactive investment at the State level will support faster internet-wide adoption and promote better privacy standards for the entire browsing public.
All browsing activity should be considered private and sensitive.
An HTTPS-Only standard will eliminate inconsistent, subjective determinations across agencies regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide.
State websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards. This leaves Utahns vulnerable to known threats, and may reduce their confidence in their government. Although some State websites currently use HTTPS, there has not been a consistent policy in this area. An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position Utah State Government as a leader in Internet security.
What HTTPS Does
HTTPS verifies the identity of a website or web service for a connecting client, and encrypts nearly all information sent between the website or service and the user. Protected information includes cookies, user agent details, URL paths, form submissions, and query string parameters. HTTPS is designed to prevent this information from being read or changed while in transit.
HTTPS is a combination of HTTP and Transport Layer Security (TLS). TLS is a network protocol that establishes an encrypted connection to an authenticated peer over an untrusted network.
Browsers and other HTTPS clients are configured to trust a set of certificate authorities that can issue cryptographically signed certificates on behalf of web service owners. These certificates communicate to the client that the web service host demonstrated ownership of the domain to the certificate authority at the time of certificate issuance. This prevents unknown or untrusted websites from masquerading as a Federal website or service.
What HTTPS Doesn’t Do
HTTPS has several important limitations. IP addresses and destination domain names are not encrypted during communication. Even encrypted traffic can reveal some information indirectly, such as time spent on site, or the size of requested resources or submitted information.
HTTPS only guarantees the integrity of the connection between two systems, not the systems themselves. It is not designed to protect a web server from being hacked or compromised, or to prevent the web service from exposing user information during its normal operation. Similarly, if a user’s system is compromised by an attacker, that system can be altered so that its future HTTPS connections are under the attacker’s control. The guarantees of HTTPS may also be weakened or eliminated by compromised or malicious certificate authorities.
Challenges and Considerations
Site Performance: While encryption adds some computational overhead, modern software and hardware can handle this overhead without substantial deleterious impact on server performance or latency. Websites with content delivery networks or server software that support the SPDY or HTTP/2 protocols, which require HTTPS in some major browsers, may find their site performance substantially improved as a result of migrating to HTTPS.
Server Name Indication: The Server Name Indication extension to TLS allows for more efficient use of IP addresses when serving multiple domains. However, these technologies are not supported by some legacy clients. Web service owners should evaluate the feasibility of using this technology to improve performance and efficiency.
Mixed Content: Websites served over HTTPS need to ensure that all external resources (images, scripts, fonts, iframes, etc.) are also loaded over a secure connection. Modern browsers will refuse to load many insecure resources referenced from within a secure website. When migrating existing websites, this can involve a combination of automated and manual effort to update, replace, or remove references to insecure resources. For some websites, this can be the most time consuming aspect of the migration process.
APIs and Services: Web services that serve primarily non-browser clients, such as web APIs, may require a more gradual and hands-on migration strategy, as not all clients can be expected to be configured for HTTPS connections or to successfully follow redirects.
Planning for Change: Protocols and web standards improve regularly, and security vulnerabilities can emerge that require prompt attention. State websites and services should deploy HTTPS in a manner that allows for rapid updates to certificates, cipher choices (including forward secrecy) protocol versions, and other configuration elements. DTS will monitor https.cio.gov and other public resources to keep apprised of current best practices.
Strict Transport Security: Websites and services available over HTTPS must enable HTTP Strict Transport Security (HSTS) to instruct compliant browsers to assume HTTPS going forward. This reduces insecure redirects, and protects users against attacks that attempt to downgrade connections to plain HTTP. Once HSTS is in place, domains can be submitted to a “preload list” used by all major browsers to ensure the HSTS policy is in effect at all times.
Cost Effective Implementation
Implementing an HTTPS-only standard does not come without a cost. Some State websites have already deployed HTTPS. The goal of this policy is to increase that adoption.
The administrative and financial burden of universal HTTPS adoption on all State websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time. The development burden will vary substantially based on the size and technical infrastructure of a site. The compliance timeline, outlined in this Policy, provides sufficient flexibility for project planning and resource alignment.
Guidelines
In order to promote the efficient and effective deployment of HTTPS, the timeframe for compliance, outlined below, is both reasonable and practical.
This Policy requires that State agencies deploy HTTPS on their domains using the following guidelines.
- Newly developed websites and services at all State agency domains or subdomains must adhere to this policy upon launch.
- For existing websites and services, agencies should prioritize deployment using a risk-based analysis. Web services that involve an exchange of personally identifiable information (PII), where the content is unambiguously sensitive in nature, or where the content receives a high-level of traffic should receive priority and migrate as soon as possible.
- Agencies must make all existing websites and services accessible through a secure connection (HTTPS-only, with HSTS) by December 31, 2016.
