Get the lowest-cost and the best server colocation service in the business. Learn more.
Information Technology News.

The ACLU isn't too warm to the proposed HTTPS-only internet standard

Share on Twitter.

Get the most reliable SMTP service for your business. You wished you got it sooner!

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

April 17, 2015

In a direct response to the recent proposal for a HTTPS-Only Internet Standard, the American Civil Liberties Union (ACLU) has underlined the real value of a more thorough and timely implementation of functional HTTP transport encryption, and is trying to make its point as loud and clear as it can.

The non-profit organization also noted that at least twenty-nine U.S. federal websites do not currently utilize HTTPS to protect sensitive information submitted through their sites.

The United States' Chief Information Officer (CIO) has now proposed a HTTPS-Only Internet Standard, which would require HTTPS transport encryption on all publicly accessible federal websites and web services.

In the meantime, Whitehouse-appointed CIO, Tony Scott, formely of VMWare, has sent out a call for public comment.

The ACLU has responded this week by welcoming the new policy, as well as the office's recognition that "the American people expect government websites to be secure and their interactions with those sites have to be private".

But the ACLU also writes that "we believe this deadline isn't soon enough for some sensitive sites, such as those used by inspectors general, at least 29 of which do not currently use HTTPS to protect reports of waste, fraud or abuse submitted via their internet hotlines. These include the inspectors general in the Departments of Justice and Homeland Security."

The ACLU added that while default HTTPS "is a great first step, U.S. federal agencies should be employing other encryption best practices as well, such as making certain that their email servers support the use of STARTTLS transport encryption".

STARTTLS, which protects data transmitted between email servers, is widely used by the private sector, although the ACLU notes that only very few federal agencies have implemented it, notably not including the FBI, the FTC, and, last but not least, the NASA.

Additionally, there are a growing number of various parties suggesting the complete deprecation of HTTP and transition to a web entirely based upon HTTPS.

An ongoing Mozilla developer discussion suggests a browser-based incentive for sites to begin to implement the secure protocol. The ACLU also adds that federal agencies should make it easy, not difficult, for the public to anonymously access their websites.

The "potential leakage of certain metadata, such as the mere fact that someone is visiting a particular website could be extremely sensitive and might even put that persons' life at risk in extreme cases".

The ACLU suggests a possible solution exists in the form of the Tor Project, which was initially created by the U.S. Naval Research Lab and subsequently funded by the Department of Defense and the State Department, and yet "several federal agency website block visitors who are using Tor".

A comment by the Electronic Frontier Foundation gives some examples of how failures to deploy HTTPS place U.S. citizens at risk.

The CIO website also concurs, noting that "every unencrypted HTTP request reveals information about a user’s behavior, and the interception and tracking of unencrypted browsing has become commonplace today, there is no such thing as insensitive web traffic, and public services should not depend on the benevolence of network operators."

Source: The American Civil Liberties Union.

Get the most dependable SMTP server for your company. You will congratulate yourself!

Share on Twitter.

IT News Archives | Site Search | Advertise on IT Direction | Contact | Home

All logos, trade marks or service marks on this site are the property of their respective owners.

Sponsored by Sure Mail™, Avantex and
by Montreal Server Colocation.

       © IT Direction. All rights reserved.