"While we have long provided secure transport for FTC domains that handle sensitive consumer data, such as complaint data and email subscriptions, consumers will now browse our entire site more privately, and their browsers will automatically verify the identity of the website to which they're connecting – an important step to mitigate attempts to impersonate the FTC," wrote Ashkan Soltani, the FTC's chief technologist (and, full disclosure, a person I shared some bylines with during The Washington Post's reporting on Edward Snowden).
FTC.gov's implementation of HTTPS is currently rated as an "A-" by Qualys SSL Labs, which notes that there are some other steps that could be taken to improve security, such as using a stronger encryption certificate.
"There's more work to do," Soltani told The Post in an interview. "We're going to continue to implement even stronger enhancements."
Default HTTPS use is becoming more common among federal government domains, but it's still not the standard. There are some government-wide frameworks for privacy and security, but each agency manages its own IT structure and ultimately makes decisions about their own best practices.
A handful of FTC-run sites, including donotcall.gov and ftccomplaintassistant.gov, went even further than HTTPS earlier this year; they were submitted to a list of sites that some browsers won't allow visitors to connect to insecurely.
Eric Mill, who worked on that move at digital services agency 18F, is enthusiastic about the FTC's new feature. "It seems like a great move for the FTC in particular, because they are a privacy enforcer," he said.
Mill has been working with agencies to expand their use of HTTPS and provided some support to the FTC on its implementation, although the agency itself did the actual work. "Ashkan, of all people, certainly knows what he's doing when it comes to this stuff," Mill said.
Often, Mill said, HTTPS is viewed strictly from a cybersecurity standpoint -- something to be deployed only for sensitive parts of sites. But the FTC's decision to secure their whole main Web site with the feature could help convince other agencies to do the same, he said.
"It's a new baseline for the Web," Mill explained. "I think it's really helpful in demonstrating to the rest of the government that it's something everyone can and should do."