The CIO of the United States has floated a plan to make HTTPS the standard for all .gov websites.
“The majority of Federal websites use HTTP as the primary protocol to communicate over the public internet,” says the plan, which also states that HTTP “create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services.”
“All browsing activity should be considered private and sensitive,” the proposal continues (cough – NSA – cough) before suggesting “An HTTPS-Only standard will eliminate inconsistent, subjective decision-making regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide.”
The proposal acknowledges that “The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time” and notes that HTTPS can slow servers and sometimes complicate the browsing experience.
But the plan also concludes that “The tangible benefits to the American public outweigh the cost to the taxpayer” because ““Even a small number of unofficial or malicious websites claiming to be Federal services, or a small amount of eavesdropping on communication with official US government sites could result in substantial losses to citizens.”
No timeframe is advanced for the move to HTTPS, but feedback has been sought on the idea. ®