Dec. 31, 2016, was the deadline for all existing federal government websites to start using HTTPS — that is, encrypted domains — under a June 2015 memo from U.S. Chief Information Officer Tony Scott. From 2015 to the end of 2016, the number of secure domains grew from a handful to nearly 800.
But as of the end of the year, pulse.cio.gov, the website the CIO’s office uses to track compliance with the memorandum, showed that some 345 federal government websites were still unencrypted. They include some high-profile websites, such as those of the National Oceanic and Atmospheric Administration, the Department of Veterans Affairs, the Census Bureau, and the Food and Drug Administration. Together, the sites pull in tens of millions of visitors each month, according to the Web traffic site SimilarWeb.
That could potentially put users of those websites at risk.
“Every unencrypted HTTP request reveals information about a user’s behavior, and the interception and tracking of unencrypted browsing has become commonplace,” part of the U.S. CIO’s website reads. “Today, there is no such thing as non-sensitive Web traffic, and public services should not depend on the benevolence of network operators.”
The use of HTTPS has been rare until very recently, but the increasing use of the Internet to conduct business, communicate and deliver government services has made the sensitivity of online data much more important, the World Wide Web Consortium wrote in a document on the subject in 2015. Unencrypted domains offer a way for hackers and bad actors to manipulate or steal that data.
“Networks can (and some do) insert advertisements into unencrypted Web pages; by nature, this conveys the ability to track users,” the document reads. “Even more hostile attacks include inserting persistent code into the browser that is run on subsequent visits ("cache poisoning"), or changing content (such as editing a company's website to affect its stock price). An attacker can also access information that might have been stored by a site in previous visits. If this includes a persistent grant of access to a privileged APIs, such as geolocation or media capture, then the attacker can access those resources using any prior authorization.”
The U.S. CIO’s office maintains a website offering best practices for setting up secure domains and APIs.