Government To Require HTTPS For Online Services

All government online services are to be required to maintain encrypted HTTPS connections by 1 October, as well as enforcing more secure email policies, the Government Digital Service (GDS) has said.

The shift is part of a broader move toward online encryption that began in the wake of 2013 revelations of broad online surveillance programmes by the US government, and the GDS acknowledged that some individual services may have already begun encrypting content.

Secure services

“Although we’re aware individual services have continually upgraded their own security practices, we’re now updating the guidelines to improve how we secure government services overall,” said GDS technical architect Dafydd Vaughan. “These updates are aimed at maintaining secure services and trust in digital government services.”

All services are to shift to HTTPS using a security policy mechanism called HTTP Strict Transport Security (HSTS), which helps prevent against vertain types of attacks and ensures that the site can only be accessed via HTTPS, rejecting all unsecured HTTP connections, Vaughan said.

“In September, we plan to submit the service.gov.uk domain to the browser manufacturers’ HSTS preload list,” he wrote. “This means that all modern browsers will only ever connect to government services via HTTPS. If you service is only available over unsecured connections, it will stop working in modern browsers once this happens.”

Services will also be required to publish a policy under the Domain-based Message Authentication, Reporting and Conformance (DMARC) system, designed to allow email recipients to verify the origin of a message and block those using forged addresses.

Stricter email security

Services should set their DMARC policy to the highest level, “p=reject”, but if they aren’t able to do so by the 1 October deadline they can temporarily put a policy in place using the “p=none” setting to override the default policy, according to Vaughan.

“If you have not set up this policy by 1 October 2016, your emails may be rejected by external email providers,” he added.

The government published an updated policy standard for government services and a guide covering email security.

“All services accessed through service.gov.uk domains (including APIs) must only be accessible through secure connections,” the new policy standard reads. “Services must not accept HTTP connections under any circumstances.”

Companies providing online email services, such as Yahoo and Google, were amongst the first to move to HTTPS beginning in 2013.

Apple adopted encryption for communications services built into its iPhone smartphone, and has criticised British government plans that would seek to weaken such protections.

Are you a security pro? Try our quiz!