January 25, 2022

Privacy and Security: The First .Gov Domains Hardcoded Into Your Browser as All-HTTPS

Quick Comment from Gary Price, infoDOCKET Founder and Editor:

The post you’re about to read from the GSA Blog begins, “Every .gov website…” We believe that doing this is a must for all web sites.

That’s not going to be easy, the Internet is a big and dynamic universe.

However, making sure that every library web site, OPAC, and vendor supplied database uses https is something that can and should be done as soon as possible. It’s one of many steps that need to be taken by the library community regarding data and user privacy.

Now, to some U.S. Government web news.

Full Text Post From the General Services Administration Blog:

Every .gov website, no matter how small, should give its visitors a secure, private connection. Plain HTTP connections are neither secure nor private, and can be easily intercepted and impersonated. In today’s web browsers, the best and easiest way to fix that is to use HTTPS (https://). Now, a number of government websites have taken a step further and are becoming the first .gov domains hardcoded into major web browsers as HTTPS- only. This means that these .gov domains are taking the extra step of verifying that all their subdomains use HTTPS.

Recently, notalone.gov, a website launched by the White House Task Force to Protect Students from Sexual Assault, was hardcoded into major web browsers as HTTPS-only.

Now, This means that when visitors type “notalone.gov” or click a link to http://notalone.gov, the browser will go directly to https://notalone.gov without ever attempting to connect over plain HTTP. This prevents anyone from getting a chance to intercept or maliciously redirect the connection, and avoids exposing URLs, metadata, and cookies that would otherwise have remained private.

18F [a GSA consulting group] worked with a number of government teams to help submit 19 .gov domains to be hardcoded as HTTPS-only. These .gov domains include:

The Federal Trade Commission prepared the Do Not Call Registry, as well as their consumer complaint system and a merger filing system, by submitting donotcall.gov, ftccomplaintassistant.gov, andhsr.gov

  • The Inspector General for the U.S. Postal Service submitted uspsoig.gov (which includes various sensitive complaint forms) after moving entirely to HTTPS.
  • The AIDS.gov team submitted their domain after moving the main website and each subdomain over to HTTPS.
  • The Administrative Conference of the U.S. submitted acus.gov after moving to HTTPS while relaunching their website.
  • At the state level, the District of Columbia legislature submitted dccode.gov as part of its launch.
  • The Federal Register submitted federalregister.gov, a fully HTTPS-enabled website since 2011.
  • 18F chipped in and submitted notalone.gov, which used HTTPS from the start.
  • The OMB MAX team worked with the White House and the General Services Administration to prepare the website for the Federal CIO Council and a number of other websites and redirect domains: cio.gov,cao.gov, cfo.gov, max.gov, itdashboard.gov, paymentaccuracy.gov, earmarks.gov, bfelob.gov, save.gov, saveaward.gov.

To be clear: the above domains are not the only .gov domains that use HTTPS. Many others do. The above domains have taken the extra step of verifying that all their subdomains use HTTPS, and are comfortable telling browsers to just assume this going forward. This will take effect in Chrome, Firefox, and Safari over the course of 2015.

About Gary Price

Gary Price (gprice@mediasourceinc.com) is a librarian, writer, consultant, and frequent conference speaker based in the Washington D.C. metro area. Before launching INFOdocket, Price and Shirl Kennedy were the founders and senior editors at ResourceShelf and DocuTicker for 10 years. From 2006-2009 he was Director of Online Information Services at Ask.com, and is currently a contributing editor at Search Engine Land.