Why HTTPS for Everything?
HTTP has become central to today’s way of life. HTTP is currently the primary protocol for applications used on computers, tablets, smartphones, and many other devices.
As our dependency on the internet has grown, the risk to users' privacy and safety has grown along with it.
Every unencrypted HTTP request reveals information about a user’s behavior, and the interception and tracking of unencrypted browsing has become commonplace.
Today, there is no such thing as non-sensitive web traffic, and public services should not depend on the benevolence of network operators.
When properly configured, HTTPS can provide a fast, secure connection that offers the level of privacy and reliability that users should expect from government web services.
Privacy and integrity by default
By using private connections by default, changed expectations make everyone safer.
By always using HTTPS, web services don’t have to make a subjective judgment call about what’s “sensitive”. This leaves less room for error, and makes deployment simpler and more consistent.
Widespread use of HTTPS also means that clients can begin assuming HTTPS with more confidence. Attacks designed to track large quantities of unencrypted traffic become less attractive.
Web browsers can begin displaying HTTPS connections as normal, and HTTP connections as non-secure. HTTPS validation failures can become more strict, reducing the effectiveness of phishing and user error.
These changed expectations improve the security of HTTPS on every website. In other words, protecting less sensitive sites strengthens the protections of more sensitive sites.
HTTPS is the internet’s next phase
The internet’s standards bodies, web browsers, major tech companies, and the internet community of practice have all come to understand that HTTPS should be the baseline for all web traffic.
- The W3C’s Technical Architecture Group has found that the web should actively prefer secure connections and transition entirely to HTTPS.
- The IETF has said that pervasive monitoring is an attack, and the Internet Architecture Board (the IETF’s parent organization) recommends that new protocols use encryption by default.
- The Chrome and Firefox security teams are working on gradually marking plain HTTP as non-secure.
Ultimately, the goal of the internet community is to establish encryption as the norm, and to phase out unencrypted connections.
Investing in HTTPS makes it faster, cheaper, and easier for everyone. Many of the advancements of the last several years have come from major institutions and technology companies committing to migrate websites and services, improving the status quo, and contributing their improvements back to the public.
The more US government websites and services that join the transition to an encrypted internet, the smoother and faster it will be.