Government websites to use HTTPS encryption from October
July 1, 2016
Shah Sheikh (1294 articles)

Government websites to use HTTPS encryption from October

GOVERNMENT DIGITAL SERVICES (GDS) websites will use HTTPS encryption from 1 October, according to new security guidelines. And about time too.

In addition, all services will have to publish a Domain-based Message Authentication, Reporting & Conformance (DMARC) policy applicable to their email systems.

“The standards require all government services to run on secure connections, known as ‘HTTPS’. This type of connection makes sure user data is encrypted and stays secure while users interact with your service,” explained Dafydd Vaughan, a technical architect at the GDS, in a blog post this week revealing the decision.

“As well as enforcing the use of HTTPS, we now mandate that the service uses HTTP Strict Transport Security [HSTS]. This setting tells modern browsers that your service will only use secure connections and information should be sent encrypted.

“In September, we plan to submit the domain to the browser manufacturers’ HSTS preload list. This means that all modern browsers will only ever connect to government services via HTTPS.

“If your service is only available over unsecured connections, it will stop working in modern browsers once this happens. This may also affect testing environments hosted on”

The GDS has also published guidance on how to implement secure email practices, including DMARC.

“As a temporary measure, if your team cannot set the DMARC policy to p=reject in this time period, you should publish a record using p=none to override the default policy,” advised Vaughan.

The move is part of global shift to HTTPS, kicked off after the Edward Snowden disclosures showed how security services were taking advantage of insecure connections to spy on people and organisations.

Yahoo was one of the first to respond by taking Yahoo Mail all HTTPS in October 2013.

Apple, meanwhile, will force developers to secure iOS apps with HTTPS from 2017, cracking the security whip on lackadaisical devs from 1 January next year.

Google has done its bit by promising in 2014 to rank websites secured with HTTPS more highly.

Source | TheInquirer