Oct 12 2017

How States Can Make the Switch from HTTP to HTTPS

Cameron Dixon of the Department of Homeland Security offers advice on how states can make the switch to more secure websites by employing tools and best practices from the federal government.

The first line of the first section of the president’s cyber executive order hits at a core reason I’m a public servant. It reads: “The executive branch operates its information technology (IT) on behalf of the American people.”

Behind every change request, security update or technology refresh is the implicit understanding that what public servants do is for the citizens they serve — and citizens increasingly expect to interact with their government in the same fashion they shop, watch movies or talk with friends: through the web.

In a subtle but very real way, lack of high-quality digital services can undermine the trust people have in their government. And in a very real, unsubtle way, the lack of an encrypted connection to your websites and services via HTTPS leaves citizens at risk, exposing their sensitive data and metadata to anyone between their device and your servers. Additionally, it means that you have no guarantee that citizens are receiving what you are serving, since any network intermediary can modify or inject data in transit, and neither you nor your end users are likely to know.

In the federal government, executive branch agencies are required to serve all web traffic (including application programming interfaces) over HTTPS and use HTTP Strict Transport Security (HSTS). HSTS ensures browsers always use an https:// connection and makes it so that certificate-related warnings cannot be ignored by clicking through.

Over the last two years, this policy’s implementation has enabled the federal government to outpace the private sector in the deployment of HTTPS.

I suspect the state or local government you serve has a smaller footprint of web services than the federal government, which means adopting HTTPS shouldn’t take years.

How can local governments learn from the feds and make the switch to HTTPS? Here are four tips.

SIGN UP: Get more news from the StateTech newsletter in your inbox every two weeks

1. Set a Policy and Select a Date for the HTTPS Switch

Make it official: Craft a policy that your websites and services will be HTTPS-only, and make it publicly known. This serves to motivate and commit you while also signaling to citizens you value their security.

The language of the federal directive is at https.cio.gov, which you can reuse for your purposes. It also spells out a wealth of technical guidance for implementers.

2. Work Toward HSTS Preloading

Consider making the submission of your domains to the HSTS Preload list a pinnacle accomplishment of your policy. HSTS Preloading hard-codes your domain into modern browsers, enforcing HSTS across all your subdomains.

It’s worth noting that earlier this year, the DotGov registry began automatically submitting newly registered federal executive branch .gov domains for HSTS preloading. If all .gov domains work with a unity of purpose toward using HTTPS, the entire .gov zone could be preloaded, which provides major protection for citizens. The more that .gov domains participate, the stronger the argument becomes to preload .gov.

3. Track Your Efforts Toward HTTPS

During the federal government’s switch to HTTPS, both public and private reporting took place, which ensured agency leadership was aware of progress (or lack thereof). DHS tracked this by developing pshtt, an open-source tool to scan for HTTPS best practices.

All signs show there still is work to do. In mid-September, Google published research about the root causes of the HTTPS certificate errors that Chrome users receive.

Among several useful findings, the data indicates that 65 percent of the 100 sites with the most server errors are government sites. Though the research doesn’t break out “government sites” by country or type, I have reason to suspect a good chunk are state and local .gov sites — I’ve seen the data.

I noted an interesting concentration of HTTPS errors on state benefits, unemployment and child support websites. This makes some sense, as these sites often involve very personal information and thus require authentication (and HTTPS). The sites are meant to assist highly vulnerable populations, people who shouldn’t be served error warnings in order to interact with their government.

4. Serve State and Local Citizens Securely

Ensuring a secure connection for citizens’ use is a noble goal, one with meaningful results. It also doesn’t need to be expensive. Domain Validation (DV) certificates, which are the type most suited to automation (no more expiry notices!), can be obtained cheaply or even for free. This kind of certificate is widely used in the federal government.

It’s important to think about and protect how your citizens interact with government. With the web pushing toward HTTPS by default, states, counties and cities can and should be at the forefront of this effort.

ktsimage/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.