Slashdot Mirror
White House Proposal Urges All Federal Websites To Adopt HTTPS
blottsie writes: In an effort to close security gaps that have resulted in multiple security breaches of government servers, the Obama administration on Tuesday introduced a proposal to require all publicly accessible federal websites to use the HTTPS encryption standard. "The majority of federal websites use HTTP as the as primary protocol to communicate over the public Internet," reads the proposal on the website of the U.S. Chief Information Officer. "Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services."
In the wake of the Obama Administration encouraging use of HTTPS, Ted Cruz was reported as saying that encryption was a government conspiracy to deprive godfearing Americans of their privacy.
It's not a bad idea to run HTTPS. It makes it inconvenient to hack connections and makes people work for it. But I found this quote to be amazingly ironic: "Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services."
There's virtually no excuse to be running a website without SSL. It doesn't matter what kind of site you run. It should really be law that all sites on the internet move to SSL.
BeauHD. Worst editor since kdawson.
I don't know. She should probably check the configurations of Jeb Bush's and Rick Perry's private email servers before making a decision.
Only if you're okay with a network-privileged attacker (someone on the wire--what HTTPS is designed to defend against) from:
* Recording what pages you're visiting
* Undetectably modifying the information presented on those pages
* Injecting their own advertising, browser-level tracking mechanism, or malware
There's a solid business case for HTTPS-encrypting static pages with minimal privacy risks, just because of the threat of having unauthorized parties (i.e., ISPs) inject their own advertising.
Statistically the man in the middle is most likely to be The Man. If you're talking to The Man, he doesn't even need to be in the middle, but he probably will be anyway. If you're a government employee using one of those, you'll be The Man, talking to The Man while being spied on by The Man! Delicious!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Interestingly the "edit this page" link on the CIO page (linked in the article) takes you to GitHub. Is our government actually taking advantage of existing services instead of wasting all kinds of money developing their own content management system? Maybe there is hope.
Second, what's you're requirement for not having the security benefit? Given that certs are about $10 a year and require negligible resources, what is your compelling reason for not having encryption by default?
Don't the government have their own CA? The cost to cut a cert should be less than $0.04. I know this because I've set up a real CA and $0.04 per cert included the costs of the operations along with the profit. The actual computing cost is negligible. The costs are the premises and pay for employees, spread out across all the certs they cut.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Heck the govn't has its own TLD and doesn't even use it for all of their hostnames...
Quick - where is the "official" place to get your free annual credit report? Is it freeannualreport.com or freeannualcreditreport.com or what? Wouldn't it be nice if it were creditreport.ftc.gov ? I (and most other slashdot users who get a little paranoid about this type of thing) simply go to the FTC site and follow the link from there, but having it on a .gov domain would let me know for sure some squatter didn't get ahold of it...
Don't blame me, I voted for Kodos
And the websites will require internet explorer.