For over a year, the U.S. Government has worked to establish secure connections to all federal websites, protecting visitors from malware and tracking. And although it didn’t meet the White House goal of having all federal websites served over secure HTTPS connections by Dec. 31, 2016, the government has made significant progress, outstripping the private sector in its adoption of encrypted browsing.
HTTPS adoption grew steadily in 2016. More news organizations (including TechCrunch!) started using encryption to protect their readers from censorship and surveillance, consumer awareness of encryption grew, and browsers like Chrome became more aggressive about warning users of the dangers of HTTP.
But the government is securing its websites faster than the private sector, according to a progress report by the U.S. digital services agency 18F.
The majority of visitors to .gov websites now browse over a secure connection, with 66 percent of visitors connecting to sites that enforce HTTPS. Out of roughly 1,000 .gov domains, 61 percent enforce HTTPS. For the roughly 26,000 .gov subdomains, the enforcement rate drops to 40 percent. (All of these rates are slightly higher for HTTPS support rather than enforcement.)
“This is likely in part because identifying parent domains is much easier (even inside an agency), and in part because most agencies have a ‘long tail’ of unused, abandoned, testing, or staging subdomains,” explains Eric Mill, senior advisor on technology policy and strategy for the General Services Administration. In his post, Mill suggests the best way to measure the impact of the government’s work on HTTPS is to look at web traffic — if most visitors to government websites enjoy a secure connection, then an abandoned subdomain shouldn’t make much difference.
Although 60 percent isn’t nearly the full security shift that the White House required by the end of last year, the progress still looks good when compared to the web as a whole. An analysis of the top Alexa top 1 million websites found that only 13 percent enforce HTTPS, while 33 percent support it. Mill says that the government’s own numbers were similar before the White House issued its HTTPS directive in the summer of 2015.
It’s tough to measure how many government domains in total have now been secured by HTTPS — in part because the government doesn’t maintain a complete list of all its domains and subdomains — but 18F saw solid progress on .gov domains. White House policy also requires other government sites on other domains, such as .mil and .us, to make the switch to HTTPS, but data on those domains isn’t included in the progress report.
Although the progress appears to be outstripping the rest of the internet, Mill says the data “points to more work for federal agencies to do to eliminate the use of insecure connections to their services.”