In 2015, the White House Office of Management and Budget memorandum mandated that all Federal agency web sites should migrate to the more secure HTTPS protocol by the end of 2016. The mandate includes migration of Federal agency API services as well. The measure was to ensure that US citizens could interact with official web sites in a secure manner. The HTTPS protocol provides additional encryption measures over the HTTP protocol, and prevents the interception or modification of the data by malicious third parties.
According to a report in FCW , 3 in ten agencies have missed the deadline for the transition. Analysis of web traffic shows that most of the web sites have migrated to the newer protocol. The US Postal service is one of the biggest offenders, and still has 5 domains using the older protocol, and has migrated only one. The Department of Veteran Affairs has moved just one of three domains. The US General Services Administration is helping the web sites migrate to the new protocol, but has not revealed information on the status of the migration. There are 1200 .gov domains, out of which 31 percent are still to migrate to the HTTPS protocol.
Ilia Kolochenko, CEO of High-Tech Bridge, a web security firm commented on the news. “3 out of 10 agencies seems to be a sad, but predictable number, as especially in the government sector - changes require time to be accepted, approved and implemented. In the past, we could rely on the arguments of SSL incompatibility with older mobile devices and browsers to postpone HTTPS implementation. However, today almost every device supports modern encryption protocols and ciphersuits. Encryption also used to be a resource-consuming process, but with modern hardware, this problem does not exist anymore either. I’d not call missing HTTPS negligence, but rather carelessness.”
The government web sites have personal data of US citizens including health records, tax records and driving licenses. With the proliferation of public Wi-Fi networks, an increasing number of data is passed through vulnerable public networks. The public wi-fi networks are attractive targets to hackers who can intercept the data on route from the browser to the servers of the government web sites. The HTTPS protocol prevents public wi-fi networks from being de facto honeypots for hackers.
The SSL encryption does not prevent all kinds of attacks, such as SQL injections. However, the new protocol should reduce the number of man in the middle attacks (MITM). Kolochenko says it would be interesting to see if the government web sites can be sued for failing to migrate. The data of the citizens is exposed to more risk and could potentially lead to data theft and financial damage to US citizens.
The failure of .gov web sites to migrate to the more secure protocol is particularly undesirable in the light of a spate of attacks in the run up to, and during the course of the 2016 US presidential election. The US has released a 13 page document exploring the role of Russian hackers during the election, which included intrusions into the Democratic National Committee. Republican senator John McCain has said that such state sponsored hacking has the potential to “destroy democracy” .