from Hacker News

Automatic HTTPS Enforcement for New Executive Branch .gov Domains

by konklone on 1/19/17, 5:36 PM with 78 comments

  • by Bartweiss on 1/19/17, 6:30 PM

    This is fantastic news.

    It wasn't that long ago that I tried to log into a government site via my SSN, and discovered that the page didn't even permit HTTPS. I was displeased, to say the least; logging in wasn't exactly optional, so it seemed much worse than a business offering poor security.

    Permitting HTTPS is obviously the first step, but security shouldn't be limited to people with the expertise to seek it out. I'm really glad to see that something as inescapable as the .gov domain will be pursuing security-by-default.

  • by konklone on 1/19/17, 6:19 PM

    Co-author of the post here, happy to answer questions. =)

    This is a GSA initiative, not an 18F initiative. But 18F has a recent post detailing executive branch progress on HTTPS that may also be relevant:

    https://18f.gsa.gov/2017/01/04/tracking-the-us-governments-p...

  • by 3pt14159 on 1/19/17, 8:06 PM

    If anyone works in the Canadian government and wants my input in getting the political support to make this happen in your department, I've been helping some departments understand the nature of the risks (some are even paying me as a consultant!) of MITM attacks. It's taking time, but I'm slowly seeing improvement. I can give you some tips as to how to properly communicate the importance of some of these and other measures (like getting monitors like Appcanary installed to watch for security vulnerabilities).

    My email is in my profile :)

  • by t0mas88 on 1/19/17, 6:19 PM

    As a practical question: what is the expected capacity of the preload stores of browsers? Hundreds of thousands, millions or much more domains? Because at some point it seems like everyone with moderately high security requirements may want to have their certificates pinned / preloaded.

  • by Godel_unicode on 1/19/17, 8:50 PM

    I said something similar in a reply below, but I find it interesting that this amounts to a .Gov-wide decision that availability is always less important than confidentiality and integrity.

    While that's probably valid in the main, is that always true? FEMA/NOAA spring to mind. As does IRS guidance, especially since those documents should have digital signatures themselves for an additional layer of integrity.

    Was this idea part of the discussion?

  • by hannibalhorn on 1/19/17, 9:53 PM

    From what I gather, Let's Encrypt meets the guidelines to be considered acceptable, but is not really mentioned anywhere, neither in the linked page nor on https.cio.giv - is there any feeling one way or the other on the use of Let's Encrypt for .gov?

    Certainly one of the biggest headaches of the classic approach is forgetting to renew your certificate on time, a situation which Let's Encrypt effectively avoids.

  • by excalibur on 1/19/17, 7:58 PM

    Unable to click through certificate warnings = completely inaccessible when there is an issue with certificate validation. Look at the shiny new attack surface!

  • by cakeface on 1/19/17, 7:11 PM

    What are the odds that the private keys for all of the .gov domains are also sent to the NSA? I guess if you are worried about another nation spying on your traffic you would be fine. I would expect that all of this traffic is decryptable by NSA though.

  • by besselheim on 1/19/17, 11:35 PM

    It should really be .gov.us rather than a top level domain.

  • by prodtorok on 1/19/17, 8:22 PM

    How has this been enforced? and what about sub-domains?