Memorandum Requires Secure Connections across Federal Websites

Memorandum Requires Secure Connections across Federal Websites

Memorandum Requires Secure Connections across Federal Websites and Web Services.

Signed June 8th 2015 The Executive Office Of The President has enacted memorandum M-15-13. Also known as The HTTPS-Only Standard that requires that all public accessible Federal websites and web services only provide service through a secure connection.

Executive Office SealThis is very important as unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services. Any data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information.

“All browsing activity should be considered private and sensitive.”

Many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of Federal websites and services deserve the same protection, and the Federal Government needs to set a presidence that in this day-and-age Web Security is as important as the air we breathe.

Although the challenges are few there are some considerations and implementations of HTTPS that may have effect on these Federal Government Services.

Challenges and Considerations:

Site Performance: While encryption adds some computational overhead, modern software and hardware can handle this overhead without substantial deleterious impact on server performance or latency.

Server Name Indication: The Server Name Indication (SNI) extension to SSL/TLS allows for more efficient use of iP addresses when serving multiple domains. However, these technologies are not supported by some legacy clients. An example of SNI also known as Fully Qualified Domain Name (FQDN) would be www.energy.gov.

Mixed Content: Websites served over HTTPS need to ensure that all external resources (images, scripts, fonts, iframes, etc.) are also loaded over a secure connection. Modern browsers will refuse to load many insecure resources referenced from within a secure website. When migrating existing websites, this can involve a combination of automated and manual effort to update, replace, or remove references to insecure resources. For some websites, this can be the most time consuming aspect of the migration process.

APis and Services: Web services that serve primarily non-browser clients, such as web APis, may require a more gradual and hands-on migration strategy, as not all clients can be expected to be configured for HTTPS connections or to successfully follow redirects.

Planning for Change: Protocols and web standards improve regularly, and security vulnerabilities can emerge that require prompt attention. With that said Admin may have to be upgrade their system typologies in order to meet this standard. Federal websites and services should also deploy HTTPS in a manner that allows for rapid updates to certificates, proper cipher choices.

One standard that has effected legacy systems that will need to be taken into account is the SHA2 standard due to the SHA1 vulnerability that has taken effect in the commercial browser industry. For Example, old Microsoft IIS6 (Server 2003) systems lack the ability to understand the SHA2 algorithm due to its 12 year outdated software. Federal web service admins should evaluate the feasibility of using technology to improve performance efficiency and may have to upgrade their infrastructure as soon as possible.ssl/tls certificate

In order to secure and implement HTTPS a Digital Server Certificate will have to be issued to the SNI/FQDN for that implemented HTTPS Web Service. Issued by a Trusted Authority.

The Office of Management and Budget (OMB) affirms that tangible benefits to the American public outweigh the cost to the taxpayer. Implementation of Server Certificates with HTTPS will help fight unofficial or malicious websites claiming to be Federal services, and block hacker eavesdropping on communications with official U.S. government sites.

Acmetek Global Solutions, Inc. is very familiar with the standards of the industry and have the Managed PKI solutions & recommendations needed to assist Federal/State government agencies on matters of Web Network Security.

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.