Slashdot Mirror

← Back to Stories (view on slashdot.org)

White House Proposal Urges All Federal Websites To Adopt HTTPS

Posted by Soulskill on from the moving-at-the-speed-of-government dept.

blottsie writes: In an effort to close security gaps that have resulted in multiple security breaches of government servers, the Obama administration on Tuesday introduced a proposal to require all publicly accessible federal websites to use the HTTPS encryption standard. "The majority of federal websites use HTTP as the as primary protocol to communicate over the public Internet," reads the proposal on the website of the U.S. Chief Information Officer. "Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services."

6 of 155 comments (clear)

  1. Interdasting... by grimmjeeper · · Score: 3, Insightful

    It's not a bad idea to run HTTPS. It makes it inconvenient to hack connections and makes people work for it. But I found this quote to be amazingly ironic: "Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services."

    1. Re:Interdasting... by techno-vampire · · Score: 4, Insightful

      Using https to transmit sensitive information is the same as remembering to lock your car. It's not perfect and it won't stop a determined attack, but it's enough to prevent casual intrusions. And, of course, if somebody does break the encryption there's no way they can claim that they didn't know that the transmission was private.

      --
      Good, inexpensive web hosting
  2. Not just for government. by kuzb · · Score: 4, Insightful

    There's virtually no excuse to be running a website without SSL. It doesn't matter what kind of site you run. It should really be law that all sites on the internet move to SSL.

    --
    BeauHD. Worst editor since kdawson.
  3. Re:Only on some... by blueg3 · · Score: 3, Insightful

    Only if you're okay with a network-privileged attacker (someone on the wire--what HTTPS is designed to defend against) from:
    * Recording what pages you're visiting
    * Undetectably modifying the information presented on those pages
    * Injecting their own advertising, browser-level tracking mechanism, or malware

    There's a solid business case for HTTPS-encrypting static pages with minimal privacy risks, just because of the threat of having unauthorized parties (i.e., ISPs) inject their own advertising.

  4. Re:Oh the irony! by Anonymous Coward · · Score: 1, Insightful

    Which has little relevance to his administration supposedly worrying about privacy while overseeing and defending the largest domestic surveillance program in histroy.

  5. Re:Only on some... by i.r.id10t · · Score: 3, Insightful

    Heck the govn't has its own TLD and doesn't even use it for all of their hostnames...

    Quick - where is the "official" place to get your free annual credit report? Is it freeannualreport.com or freeannualcreditreport.com or what? Wouldn't it be nice if it were creditreport.ftc.gov ? I (and most other slashdot users who get a little paranoid about this type of thing) simply go to the FTC site and follow the link from there, but having it on a .gov domain would let me know for sure some squatter didn't get ahold of it...

    --
    Don't blame me, I voted for Kodos