Protecting user privacy is an important aspect and duty of any public service organization, and Hypertext Transfer Protocol Secure (HTTPS) is a fundamental component of online digital government security.
HTTPS is web security protocol or security certificate that validates and ensures privacy protections are adhered to.
As the U.S. federal government states, HTTPS guarantees:
- Confidentiality. The visitor’s connection is encrypted, obscuring URLs, cookies, and other sensitive metadata.
- Authenticity. The visitor is talking to the “real” website, and not to an impersonator or through a “man-in-the-middle”.
- Integrity. The data sent between the visitor and the website has not been tampered with or modified.
Government and HTTPS
The U.S. federal government is taking an active role in bringing .gov awareness to and encouraging adoption of HTTPS, saying, “The American people expect government websites to be secure and their interactions with those websites to be private.”
Google Chrome and HTTPS
Google Chrome is increasingly becoming the most popular browser used by people accessing websites. According to analytics.usa.gov, in October 2018, approximately 45% of visits to federal government websites were made using Google Chrome.
In September 2016, the Google Chromium project announced its intention to facilitate a more secure web that included a pathway to HTTPS everywhere and, in January 2018, began taking steps to implement this.
Google Chrome currently provides three different security indicators in the browser URL bar:
- Info Info or Not secure
- Dangerous Not secure or Dangerous
In April 2017, Google announced that, starting October 2017, Chrome users will begin to see the ‘Not Secure’ indicator in the following instances:
- The user is browsing in Chrome incognito mode.
- The page contains a password field.
- The user interacts with any input field.
Starting in October 2017, visitors to these pages on government websites will receive this “Not Secure” message:
Eventually, visitors to government website pages that are not HTTPS-enabled will receive this message and indicator:
What you should do today
Luckily, adding a valid Secure Sockets Layer (SSL) certificate to your website is not as difficult as it used to be.
Let’s Encrypt offers free SSL certificates that are trusted in all major browsers, including Chrome. You will need shell to install their software package, and then provision your certificate, and it will automatically renew every 90 days. Some hosting providers also support Let’s Encrypt out of the box.
If you don’t have root access you can typically install a SSL certificate from your website hosting control panel. Some web hosts may require upgrading your hosting package to allow SSL certificate installation. Choose an affordable SSL certificate and go through the installation process. You will need to validate ownership of your url by email, editing DNS settings, or uploading a file to your server.
ProudCity and government HTTPS
User privacy and security is extremely important to us, and HTTPS is automatically included as part of the ProudCity Safe offering for every government website hosted on the ProudCity platform. We proudly use Let’s Encrypt to support this service.
If you have questions about how ProudCity can help with your HTTPS, please contact us.
- ProudCity Safe
- ProudCity Security
- Why we use HTTPS for every .gov we make (18F)
- Introduction to HTTPS (CIO.gov)
- The HTTPS-Only Standard (CIO.gov)
- Compliance Guide (CIO.gov)