White House, Apple Advance HTTPSBut Experts Question Government's Security Priorities
Both the U.S. government as well as technology giant Apple this week announced new requirements that will advance the use of encrypted online browsing, by default.
By 2017, all federal websites must be "HTTPS only," the White House announced June 8. Also this week, Apple previewed its forthcoming iOS 9 mobile operating system - due out with a new crop of iPhones in September 2015 - and released new developer guidelines stating that all new apps should employ HTTPS "exclusively."
On the federal front, however, multiple security experts have suggested that the White House should be spending more time securing its systems, and less time worrying about HTTPS. "Government priorities are confused," write John Pescatore and Alan Paller, respectively the director and research director for the SANS Institute, in a recent SANS newsletter. "If they invest in this first, critical government agency security improvements, such as knowing what is on their network, patching, limiting privileges [and] making phishing harder ... will not get addressed first, and they should be first."
The Benefits of HTTPS
HTTPS - or Hyper Text Transfer Protocol Secure - is a protocol for secure communications based either on Secure Sockets Layer or Transport Layer Security. Using HTTPS prevents data from being transmitted in plaintext over the Internet, and if properly implemented, makes it more difficult for an attacker to intercept that data or alter it in transit.
Due to worries over the processing hit imposed by using HTTPS, historically speaking few sites made it the default option, sticking instead with HTTP. But Google began offering SSL as a webmail option in 2008, before making it the default setting in 2010. That was the same year that the dangers of using HTTP were highlighted by Eric Butler - who's now a software developer for Uber - when he released the controversial Firefox plug-in Firesheep, which enabled an attacker to intercept cookies for a number of HTTP-using websites for anyone who was logged onto the same WiFi hotspot. With the cookies in hand, an attacker could then impersonate their target and gain access to their online accounts.
In 2011, to promote more private communications, Google added SSL encryption for its signed-in search users. Since then, other major Internet players - including Facebook, Microsoft, Twitter and Yahoo - have largely followed suit, making HTTPS connections the default for the majority of their services.
Apple's Developer Moves
Now, as part of Apple's World Wide Developers Conference this week in San Francisco, the technology giant previewed iOS 9, and released new HTTPS requirements for developers. Apple's iOS 9 developer notes say: "If you're developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible."
Apple's moves will thus bring HTTPS to more iOS mobile apps. Security experts say that many mobile apps to date have failed to adopt HTTPS, thus putting user data at risk.
White House Requires HTTPS
The White House's HTTPS moves were outlined this week in a "policy to require secure connections across federal websites and Web services" memorandum issued by Federal CIO Tony Scott, who's part of the Office of Management and Budget.
The White House says that the majority of federal websites currently still use HTTP by default. "The unencrypted HTTP protocol does not protect data from interception or alteration, which can subject users to eavesdropping, tracking and the modification of received data," Scott says in the memo. "To address these concerns, many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of federal websites and services deserve the same protection."
According to the new guidelines, "agencies must make all existing websites and services accessible through a secure connection15 - HTTPS-only, with HSTS - by December 31, 2016," he says. HTTP Strict Transport Security - HSTS - is designed to protect HTTPS websites against downgrade attacks and help guard against cookie hijacking.
But HTTPS can only do so much. "Moving to HTTPS for U.S. government sites will ensure that any citizens or others browsing those sites will have their interactions protected in a secure manner," says Brian Honan, who heads Dublin-based BH Consulting, and who's also a cybersecurity adviser to Europol. "However it does not mean the servers and other government systems will be any more secure, just simply that the traffic to and from those servers will be secure."
While Honan applauds the embrace of HTTPS by the White House, he too questions the U.S. government's information security priorities, especially in the wake of recent attacks (see OPM Breach: The Unanswered Questions). "It is welcome to see government agencies try to protect the privacy of those communicating with their websites," he says. "However, given recent high-profile breaches, government efforts may be better focused on securing the actual servers, and not just the traffic to and from them."