{ "version" : "https://jsonfeed.org/version/1", "content" : "news", "type" : "single", "title" : "Automatic HTTPS Enforcement for New Executive Branch .gov Domains |Digital.gov", "description": "Automatic HTTPS Enforcement for New Executive Branch .gov Domains", "home_page_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/","feed_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/2017/01/19/automatic-https-enforcement-for-new-executive-branch-gov-domains/index.json","item" : [ {"title" :"Automatic HTTPS Enforcement for New Executive Branch .gov Domains","summary" : "HTTPS is a necessary baseline for security on the modern web. Non-secure HTTP connections lack integrity protection, and can be used to attack citizens, foreign nationals, and government staff. HTTPS provides increased confidentiality, authenticity, and integrity that mitigate these attacks.","date" : "2017-01-19T12:00:30-04:00","date_modified" : "2025-01-27T19:42:55-05:00","authors" : {"eric-mill" : "Eric Mill","marina-fox" : "Marina Fox"},"topics" : { "analytics" : "Analytics", "content-strategy" : "Content strategy", "domain-management" : "Domain management", "governance" : "Governance", "product-and-project-management" : "Product and project management", "search-engine-optimization" : "Search engine optimization", "security" : "Security" },"primary_image" : { "uid" : "dot-gov-tld-wood-block-marekuliasz-istock-gettyimages-476434043-1-comp", "alt" : "The dot gov internet domain, network address for government, in vintage letterpress wood type on light-colored ceramic tile background.", "width" : "1200", "height" : "630", "credit" : "", "caption" : "marekuliasz/iStock via Getty Images", "format" : "png" },"branch" : "bc-archive-content-3", "filename" :"2017-01-19-automatic-https-enforcement-for-new-executive-branch-gov-domains.md", "filepath" :"news/2017/01/2017-01-19-automatic-https-enforcement-for-new-executive-branch-gov-domains.md", "filepathURL" :"https://github.com/GSA/digitalgov.gov/blob/bc-archive-content-3/content/news/2017/01/2017-01-19-automatic-https-enforcement-for-new-executive-branch-gov-domains.md", "editpathURL" :"https://github.com/GSA/digitalgov.gov/edit/bc-archive-content-3/content/news/2017/01/2017-01-19-automatic-https-enforcement-for-new-executive-branch-gov-domains.md","slug" : "automatic-https-enforcement-for-new-executive-branch-gov-domains","url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/2017/01/19/automatic-https-enforcement-for-new-executive-branch-gov-domains/","content" :"\u003cp\u003eHTTPS is a necessary baseline for security on the modern web. Non-secure HTTP connections lack integrity protection, and can be used to attack citizens, foreign nationals, and government staff. HTTPS provides increased confidentiality, authenticity, and integrity that mitigate these attacks.\u003c/p\u003e\n\u003cp\u003eIn June 2015, the White House required all new federal web services to \u003ca href=\"https://https.cio.gov/#guidelines\"\u003esupport and enforce HTTPS connections over the public internet\u003c/a\u003e, and for agencies to migrate existing web services to HTTPS by the end of calendar year 2016. GSA’s Office of Government-wide Policy has supported the growth of HTTPS in the federal government by providing a \u003ca href=\"https://pulse.cio.gov/\"\u003epublic HTTPS monitoring dashboard\u003c/a\u003e and \u003ca href=\"https://https.cio.gov/\"\u003ethorough policy guidance and technical assistance\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eFederal agencies have made very significant progress towards that goal, to the point that \u003ca href=\"https://18f.gsa.gov/2017/01/04/tracking-the-us-governments-progress-on-moving-https/\"\u003efederal use of HTTPS now outpaces the private sector\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eThis year, GSA will be taking another significant step forward in making secure communication the default for federal web services by automatically enforcing HTTPS in modern web browsers for newly issued executive branch .gov domains and their subdomains.\u003c/p\u003e\n\u003cdiv class=\"image\"\u003e\n \u003cimg\n src=\"https://s3.amazonaws.com/digitalgov/_legacy-img/2017/01/600-x-400-Dot-gov-internet-domain-marekuliasz-iStock-Thinkstock-476434043.jpg\"\n alt=\"marekuliasz/iStock/Thinkstock\"/\u003e\u003cp\u003emarekuliasz/iStock/Thinkstock\u003c/p\u003e\u003c/div\u003e\n\n\n\u003cp\u003eAs new executive branch domains are registered, the \u003ca href=\"https://www.dotgov.gov/\"\u003eDotGov\u003c/a\u003e program will submit them to web browsers for “\u003ca href=\"https://https.cio.gov/hsts/#hsts-preloading\"\u003epreloading\u003c/a\u003e.” After submission, it can take up to three months before preloading takes effect in modern web browsers. The change will be introduced to dotgov customers when they register a new domain under the Executive Branch, and will not affect existing or renewed domains.\u003c/p\u003e\n\u003cp\u003eOnce preloading is in effect, browsers will strictly enforce HTTPS for these domains and their subdomains. Users will not be able to click through certificate warnings. Any web services on these domains will need to be accessible over HTTPS in order to be used by modern web browsers.\u003c/p\u003e\n\u003cp\u003eGSA provides \u003ca href=\"https://https.cio.gov/\"\u003eextensive guidance on HTTPS deployment\u003c/a\u003e to agencies, and encourages .gov domain owners to obtain \u003ca href=\"https://https.cio.gov/certificates/#what-kind-of-certificate-should-i-get-for-my-domain%3f\"\u003elow cost or free certificates\u003c/a\u003e trusted by the general public. In our experience, more expensive certificates do not offer more security value to service owners, and automatic deployment of free certificates can significantly improve service owners’ security posture.\u003c/p\u003e\n\u003cp\u003eGSA plans to introduce this HTTPS preloading change in the spring of 2017. DotGov domain customers will be notified by the Gov Domain Registrar via email 30 days before the change goes in effect.\u003c/p\u003e\n\u003cp\u003eFor questions about this new GSA policy, agencies can \u003ca href=\"mailto:https@cio.gov\"\u003eemail the team at CIO.gov\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eFor more information on preloading, please read \u003ca href=\"https://18f.gsa.gov/2015/02/09/the-first-gov-domains-hardcoded-into-your-browser-as-all-https/\"\u003e18F’s blog post on the first preloaded .gov domains\u003c/a\u003e, and \u003ca href=\"https://https.cio.gov/hsts/#hsts-preloading\"\u003eGSA’s HTTPS policy support article\u003c/a\u003e on the topic.\u003c/p\u003e\n\u003cp\u003eSome important notes:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eExecutive agencies do not have to do any work to be in compliance, other than ensuring that HTTPS is supported on their web services deployed to any newly issued .gov domains.\u003c/li\u003e\n\u003cli\u003eThis change only affects clients that support \u003ca href=\"https://https.cio.gov/hsts/\"\u003eHTTP Strict Transport Security\u003c/a\u003e (HSTS), which is generally limited to modern web browsers. Specialized HTTP clients (such as cURL or HTTP standard libraries) should generally not be affected by default.\u003c/li\u003e\n\u003cli\u003eThis change will affect all subdomains of newly registered executive .gov domains. This includes intranet websites, if they are deployed to subdomains of publicly registered .gov domains. Using plain HTTP for intranet websites is not secure and is discouraged, but can still be achieved by using private domain names that only resolve inside the intranet.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eFor more information and technical guidance on HTTPS and HSTS, GSA has provided \u003ca href=\"https://https.cio.gov/\"\u003edetailed guidance\u003c/a\u003e:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://https.cio.gov/faq/\"\u003eGeneral FAQ on HTTPS\u003c/a\u003e: What HTTPS does and doesn’t do, and how it relates to DNSSEC.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://https.cio.gov/hsts/\"\u003eHTTP Strict Transport Security\u003c/a\u003e: What HSTS does, and how to use it.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://https.cio.gov/certificates/\"\u003eCertificates\u003c/a\u003e: Best practices and recommendations around the use of inexpensive or free certificates.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAdditionally, GSA’s DigitalGov University and 18F teams have partnered to produce three detailed video presentations on HTTPS:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://www.youtube.com/watch?v=d2GmcPYWm5k\"\u003eAn Introduction to HTTPS\u003c/a\u003e (basic, a general introduction for anyone)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://www.youtube.com/watch?v=rnM2qAfEG-M\"\u003eImplementing HTTPS\u003c/a\u003e (advanced, more technical detail)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://www.youtube.com/watch?v=X5H8JRULDOo\"\u003eMigrating to HTTPS\u003c/a\u003e (advanced, focused on HSTS, certificates, and mixed content)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cem\u003eLearn more about \u003ca href=\"/preview/gsa/digitalgov.gov/bc-archive-content-3/topics/security/\"\u003esecurity\u003c/a\u003e and \u003ca href=\"/preview/gsa/digitalgov.gov/bc-archive-content-3/topics/security/\"\u003eHTTPS\u003c/a\u003e — including why \u003ca href=\"/preview/gsa/digitalgov.gov/bc-archive-content-3/2016/06/06/why-switching-to-https-will-make-your-analytics-better/\"\u003eswitching to HTTPS will make your analytics better\u003c/a\u003e and how \u003ca href=\"/preview/gsa/digitalgov.gov/bc-archive-content-3/2015/09/02/https-and-other-ranking-factors-what-impacts-the-seo-of-government-websites/\"\u003eHTTPS can impact the SEO of government websites\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eIf you have a .gov or .mil email address, consider joining our \u003ca href=\"https://digital.gov/communities/\"\u003ecommunities\u003c/a\u003e to connect with other U.S. government employees and contractors working on web and digital projects.\u003c/em\u003e\u003c/p\u003e\n"} ] }