Without HTTPS, anyone who has access to traffic between a user and the Web site they are visiting can potentially collect data on the user's online activities, or even change the data that either the visitor or Web site receives without their knowledge.
"HTTP is like an open postcard you send through the mail," explained Eric Mill, who works at 18F -- an organization under the umbrella of the General Services Administration that focuses on improving the digital delivery of government services. Using HTTPS, he told The Washington Post, is like sending "a locked briefcase through the mail that only you and a recipient can unlock."
The U.S. government, too, is working on rolling out HTTPS to more of its .gov domains. "Every .gov website, no matter how small, should give its visitors a secure, private connection," Mill wrote in a blog post Monday. And some .gov sites are taking things even further.
With the help of 18F, 19 .gov domains were recently submitted to be built into popular browsers -- essentially adding them to a known list of sites guaranteed to have HTTPS properly set up. Once added, that means that when users of Chrome, Safari and Firefox visit the Web sites it will force them to automatically connect using HTTPS.
Even if sites have HTTPS enabled now, a user could accidentally visit the HTTP version of the site by clicking on an old link or typing the Web address into their browser without specifying they want the secure site. That initial HTTP visit should redirect users to the secure version of the site, but that redirect itself is insecure -- opening up an opportunity for an attacker to collect information about the visitor or redirect them to a malicious site. Having domains hard-coded into browsers as HTTPS eliminates that risk.
Among the domains being submitted for the hard coding are USPSOIG.gov, the site for the inspector general for the U.S. Postal Service, which includes sensitive complaint forms, and AIDS.gov, a site with information and resources about HIV and AIDS. The changes should take affect throughout this year, according to the blog post.
AIDS.gov drew attention to the risks of not using encryption last year when it was revealed that a feature for finding nearby facilities that offer HIV testing and other services, including substance abuse and mental health counseling, was leaking data because it was not using HTTPS by default. While the site itself didn't track visitors, the way it handled information could have enabled monitoring by those with access to data flowing between an individual's device and the Internet -- like an employer, or even a hacker nearby if the person was using a public WiFi network.
Hard coding isn't necessarily a perfect system, Mill admits -- it wouldn't make sense, for example, to hard code every single domain online into one big list to be included in browsers. But it will provide visitors to some government Web sites an extra layer of security.
And Mill imagines a future when all U.S. government sites might be ready for submission. "Perhaps someday we'll be able to just delete every individual .gov domain from the list and replace them with one entry: .gov.," he wrote.