Written bySamantha Ehlinger
Not all agency .gov domains hit the December deadline to support HTTPs, but 18F said this week significant progress has been made.
The White House in June 2015 released a memo requiring all federal servers to support and enforce HTTPS connections over public internet by Dec. 31, 2016. While some agency domains didn’t make that deadline, an 18F blog post published Wednesday notes that now 75 percent of parent .gov domains support HTTPS.
But it’s worth noting that the analysis did not track .mil domains, or all subdomains of .gov websites, for which 18F says they could find no complete governmentwide list.
The blog post also notes that “most individual agencies of any significant size do not have a complete central inventory of their own subdomains.”
18F’s Eric Mill does remind readers that all federally operated web services on the public internet are subject to the policy, suffix aside.
“However, since there is more comprehensive information available on .gov domains than on other suffixes, and the .gov suffix contains most domains belonging to most agencies, our public monitoring efforts and data are focused on federal .gov domains,” the post says. 18F is the General Services Administration’s digital services team.
HTTPS establishes a secure, private connection to websites on the internet, making it much more difficult for that connection to be intercepted or modified.
The 2015 memo also required agencies to use HTTP Strict Transport Security, which as the blog post explains, “gives permission to web browsers and other clients to enforce HTTPS directly, and disables the ability for users to click through certificate warnings.”
Adoption of that higher standard is not as widespread, with a little less than half of live, executive branch parent .gov domains using it, according to the post. But HSTS use among .gov domains was only 2 percent before the memo, so progress has been made, Mill says in his post.
The blog post notes that, “The White House policy generated significant HTTPS adoption in the U.S. government, to the point that the government now outpaces the private sector on HTTPS.”
18F in its analysis also evaluated the 475 million visits registered in the last 30 days (as of Jan. 1) with the Digital Analytics Program to get a sense of how many of those visits went to sites that use and enforce HTTPS and use an HSTS policy.
And 77 percent of those visits were to domains that support HTTPS, 66 percent enforce HTTPS and 58 percent use HSTS.
From that and its other analysis, 18F concluded “these datasets suggest very significant progress on the part of the executive branch, and it’s likely that a clear majority of web traffic to executive branch .gov domains is now encrypted.”
Contact Samantha via email at firstname.lastname@example.org, or follow her on Twitter at @samehlinger. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.