Security

New US Executive Branch websites to force HTTPS

Illustration file picture (REUTERS/Kacper Pempel/Files).

Illustration file picture (REUTERS/Kacper Pempel/Files).

The government missed the Obama administration's Dec. 31 deadline to enable HTTPS encryption on all federal websites using the .gov domain. But all new websites issued under the Trump administration will be served to Web browsers with HTTPS automatically enabled, the General Services Administration announced on Thursday.

It's a consolation prize that doesn't require any extra work: the GSA can flip the equivalent of a digital switch for all new websites, telling modern Web browsers like Google Chrome to only load the HTTPS version of the page. The process, known as HTTP Strict Transport Security (HSTS), is already widely used. You've probably seen it in action if you type in a website URL like "http://www.newegg.com," and your browser automatically translates the request into https://www.newegg.com.

The GSA will only enable HSTS by default for new executive branch websites starting this spring, although many existing websites in all three federal government branches already support it. In order for it to work, the site must ensure that all of its subdomains and associated Web services support HTTPS encryption, a task that's much easier for brand new sites than those that are decades old.

"Once preloading is in effect, browsers will strictly enforce HTTPS for these domains and their subdomains," the GSA explained in a blog post. "Users will not be able to click through certificate warnings. Any Web services on these domains will need to be accessible over HTTPS in order to be used by modern Web browsers."

The Obama administration announced in June 2015 that all federal websites must enforce HTTPS connections by Dec. 31, 2016. Out of approximately 1,000 .gov domains, only 61 percent enforced HTTPS by the deadline, TechCrunch reported.

Google last fall said it would display a conspicuous "not secure" label in its Chrome Web browser next to the URL of any website that doesn't support HTTPS. The label will roll out with Chrome 56, which is scheduled for release this month.

This article originally appeared on PCMag.com.