Enhancing the Security of Government WebsitesSites to Implement HTTP Strict Transport Security Protocol
Federal agencies will add a layer of security to their websites that use the top-level domain .gov, the General Services Administration says.
All federal websites eventually will use the HTTP Strict Transport Security, or HSTS, protocol, which ensures that a user's connection to a website is encrypted and can protect against man-in-the middle attacks and cookie hijacking, the GSA says.
The GSA, which oversees all the top-level domains for the U.S. federal government, acknowledges that it will take a "few years" for all government websites to adhere to this standard. By Sept. 1, however, the agency wants all new federal websites to use the protocol, while older sites will be retrofitted over a longer period of time.
If a domain is preloaded with the HTTP Strict Transport Security protocol, web browsers will always use the more secure HTTPS to connect with those websites, instead of HTTP, according to the GSA, which runs the DotGov Program that makes the .gov top-level domain available to federal, state and local agencies.
"We believe the security benefits that come from preloading are meaningful and necessary to continue meeting the public's expectation of safety on .gov services," according to a GSA blog post published Sunday.
The GAO is working with U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency to ensure that all existing domains are capable of being preloaded with HSTS over the next few years.
Securing Government Sites
HTTP Strict Transport Security is the standard that enforces a safe HTTPS connection and eliminates the ability to click through a certificate error, according to the alert. The browser, however, must be able to see the HSTS header on a site at least once.
"This means that users are not protected until after their first successful secure connection to a given domain, which may not occur in certain cases," according to the GSA.
To ensure that users are safe even on their first visit to a site, domains can be registered on a HSTS preload list, which additionally protects the domain's entire namespace, including all current and potential subdomains, according to the GSA.
"Governments should be easy to identify on the internet, and users should be secure on .gov websites," according to the GSA. To ensure this layer of security, all new .gov domains for the federal executive branch have been automatically preloaded since May 2017, and newly registered .gov domains have the option to opt into preloading, the agency notes.
The alert adds that preloading existing top-level domains is challenging because it requires that HTTPS be supported everywhere the domain is used for web services.
The GSA is collaborating with government-affiliated civic organizations to spread awareness about the shift to preloading.
In 2019, DHS warned of attackers targeting federal agencies by manipulating domain name system records. In response, the GSA started an email-based auto notification system to alert officials overseeing government websites when changes are made to the domain name server host names, name server IP addresses or key data associated with DNS (see: Recent DNS Hijacking Campaigns Trigger Government Action).