The ACLU isn't too warm to the proposed HTTPS-only internet standard
Share on Twitter.
Get the most reliable SMTP service for your business. You wished you got it sooner!
April 17, 2015
In a direct response to the recent proposal for a HTTPS-Only Internet Standard, the American Civil Liberties
Union (ACLU) has underlined the real value of a more thorough and timely implementation of functional
HTTP transport encryption, and is trying to make its point as loud and clear as it can.
The non-profit organization also noted that at least twenty-nine U.S. federal websites do not
currently utilize HTTPS to protect sensitive information submitted through their sites.
The United States' Chief Information Officer (CIO) has now proposed a HTTPS-Only Internet Standard,
which would require HTTPS transport encryption on all publicly accessible federal websites and web
In the meantime, Whitehouse-appointed CIO, Tony Scott, formely of VMWare, has sent out a call for public comment.
The ACLU has responded this week by welcoming the new policy, as well as the office's recognition
that "the American people expect government websites to be secure and their interactions with those
sites have to be private".
But the ACLU also writes that "we believe this deadline isn't soon enough for some sensitive sites, such
as those used by inspectors general, at least 29 of which do not currently use HTTPS to protect reports
of waste, fraud or abuse submitted via their internet hotlines. These include the inspectors general in
the Departments of Justice and Homeland Security."
The ACLU added that while default HTTPS "is a great first step, U.S. federal agencies should be
employing other encryption best practices as well, such as making certain that their email servers
support the use of STARTTLS transport encryption".
STARTTLS, which protects data transmitted between email servers, is widely used by the private sector,
although the ACLU notes that only very few federal agencies have implemented it, notably not including the
FBI, the FTC, and, last but not least, the NASA.
Additionally, there are a growing number of various parties suggesting the complete deprecation of
HTTP and transition to a web entirely based upon HTTPS.
An ongoing Mozilla developer discussion suggests a browser-based incentive for sites to begin to implement
the secure protocol. The ACLU also adds that federal agencies should make it easy, not difficult, for the
public to anonymously access their websites.
The "potential leakage of certain metadata, such as the mere fact that someone is visiting a particular
website could be extremely sensitive and might even put that persons' life at risk in extreme cases".
The ACLU suggests a possible solution exists in the form of the Tor Project, which was initially
created by the U.S. Naval Research Lab and subsequently funded by the Department of Defense and the State Department,
and yet "several federal agency website block visitors who are using Tor".
A comment by the Electronic Frontier Foundation gives some examples of how failures to deploy HTTPS
place U.S. citizens at risk.
The CIO website also concurs, noting that "every unencrypted HTTP request reveals information about
a user’s behavior, and the interception and tracking of unencrypted browsing has become commonplace today,
there is no such thing as insensitive web traffic, and public services should not depend on the benevolence
of network operators."
Source: The American Civil Liberties Union.
Get the most dependable SMTP server for your company. You will congratulate yourself!
Share on Twitter.