An Introduction to HTTPS, by 18F and DigitalGov University

Jul 21, 2015
A small metal padlock rests on a keyboard to represent HTTPS; hypertext transfer protocol secure

18F uses HTTPS for everything we make, and the U.S. government is in the process of transitioning to HTTPS everywhere. As part of this effort, we’ve recently partnered with DigitalGov University to produce a two-video series introducing the why’s and how’s of HTTPS.

  • In an Introduction to HTTPS for beginners, we cover what happens when you use the web, how HTTPS helps protect users, and examines why the web (including the U.S. government) is transitioning to use it for everything. No technical background required.
  • In Implementing HTTPS, we cover the mechanics of HTTPS, how to migrate a website or an API, some of the most important technical guidelines when setting up HTTPS, and some ongoing and future technical and political developments in the field. Some technical background is helpful, though not required.

Introduction to HTTPS for Beginners

This presentation explains how communication across the web works today and briefly dives into whitehouse.gov using an ordinary browser. It then shows how HTTPS protects users on the web, and walks through a number of reasons for the web and the government to use HTTPS everywhere.

There is no technical background required for this video—anyone who has used the web before should be able to understand the concepts discussed.

[youtube=http://www.youtube.com/watch?v=d2GmcPYWm5k&w=600]

Table of contents:

  • 0:00 – Introduction to the webinar
  • 2:34 – What happens when you use the web
  • 10:12 – Exploring whitehouse.gov via Chrome Developer Tools
  • 14:54 – How HTTPS helps
  • 24:50 – Why HTTPS for everything?
  • 32:37 – Why not HTTPS for everything?
  • 38:29 – Now we’re using it for everything
  • 41:25 – Q&A until the end

Implementing HTTPS

This presentation discusses how HTTPS works today, the technical details of migrating websites and APIs to HTTPS, and goes into the specifics of HTTP Strict Transport Security.

It then covers the most important technical guidelines that all websites (not just the government) should be aware of when setting up HTTPS, many of which are measured by the Pulse HTTPS dashboard.

Finally, the presentation looks ahead at some ongoing and future technical and political developments in the field of HTTPS and certificate authorities.

Some technical background in the web is helpful, but may not be required for much of the material.

[youtube=http://www.youtube.com/watch?v=rnM2qAfEG-M&w=600]

Table of contents:

0:00 – Introduction to the presentation

6:05 – Recap: Intro to HTTPS

10:56 – How HTTPS works

33:20 – Migrating to HTTPS

41:02 – Strict Transport Security (HSTS)

51:55 – Technical guidelines

1:11:45 – The future

1:29:29 – Q&A

We’ve also created an accompanying list of links used in the presentation.

As 18F, the U.S. Digital Service and other agencies develop these resources, we’ll continue to share them with other federal, state, and local agencies as well as the public, so that everyone can benefit from what we’ve learned. Big thank you to DigitalGov University for working with us to create these presentations!

This post was originally published on the 18 blog by Eric Mill and Gray Brooks, 18 team members.