Ask Others In Government
The HTTPS-Help listserv is a support forum for anyone with a
.mil email address. Any questions, ideas, or general discussion about HTTPS is welcome. Join by sending a message to
firstname.lastname@example.org with no subject and a body of “subscribe https-help”.
The DigitalGov University has several presentations on HTTPS from the General Services Administration:
An Introduction to HTTPS for Beginners (June 2015), by Eric Mill and Gray Brooks. This introduction runs a little over an hour, and covers how HTTP and the web work, what HTTPS does to help, and why we should use it for everything.
Implementing HTTPS (July 2015), by Eric Mill and Gray Brooks. A more detailed explanation of how HTTPS works, how to migrate a website to HTTPS, the technical concepts you should be aware of when implementing HTTPS, and new and upcoming advances in HTTPS.
Migrating to HTTPS (July 2016), by Eric Mill and Timothy Badaczewski. This presentation covers common issues common to federal HTTPS migrations, including: HTTP Strict Transport Security (HSTS), getting certificates, mixed content, and search engine optimization (SEO).
crt.sh- An open source public viewer for Certificate Transparency logs. For example, you can view all publicly logged whitehouse.gov certificates.
certspotter- An open source tool for monitoring issuance of certificates that appear in Certificate Transparency logs.
certlint- An open source tool that reviews x.509 certificates for compliance with CA/Browser Forum requirements and various RFCs.
ssllabs-scan- Command line tool for the API for SSL Labs, a universally referenced HTTPS evaluation and grading tool for public-facing websites.
site-inspector- Scan a domain for various web/HTTP-related properties, including HTTPS support.
mixed-content-scan- Command line tool for walking over a website and scanning for the use of insecure resources.
HTTPS in .gov
- DigitalGov: Secure Central Hosting for the Digital Analytics Program
- FTC: FTC.gov is now HTTPS by default
- Privacy and Civil Liberties Oversight Board: PCLOB.gov is now HTTPS by default
- CIA: Statement on CIA Website Enhancement from 2006
- 18F: Why we use HTTPS for every .gov we make
- 18F: The first .gov domains hardcoded into your browser as all-HTTPS