All British government websites are to be HTTPS encrypted

According to the latest security guideline, all British government digital service (GDS) websites will be requested mandatorily to use HTTPS encryption from October 1^st 2016. In addition, all services must deploy domain-based message authentication, reporting and conformance (DMARC) in email systems.

HTTP protocol sends message in clear text instead of providing data encryption in any form. Therefore, message can be easily intercepted during transmission. HTTPS, the secure version of HTTP, is widely used in sensitive communication online such as online payment.

The Communication-Electronics Security Group (CESG) of British government communication headquarters has released the transport layer security TLS for external facing services on September 2 ^nd 2015 and suggested British public services websites to deploy SSL certificate to establish TSL encrypted connections in order to protect data transmission security of public service websites’ users.

Compared with the HTTPS-Only standard published by the US government last June, the guideline of British government lays particular stress on the technical aspect. Although there is neither mandatory request of HTTPS deployment nor timetable like the US government, this movement of CESG also reflects the expectation of the British government to protect user privacy and information security of government websites. The guideline suggests:

1. Websites of public services apply HTTPS encrypted connections according to the security configuration recommendations of Qualys, Google and Mozilla, and external facing websites only use HTTPS service;

2. Redirect HTTP service to HTTPS encrypted service automatically;

3. Apply for SSL certificate from credible certificate authority (CA);

4. Use EV SSL certificate of extended validation to enhance customers’ confidence;

5. Deploy TLS connection for email server.

Except for the practical suggestions mentioned above, the guideline also provide guide for how to get certificate from CA and how to deploy test.

Government public service systems used to be operated only in local area network. With the acceleration of the government office informatization, related services of government gradually migrated to the Internet. Social insurance system, census register inquiry system, Centers for Disease Control, hospitals and other external facing websites contain numerous sensitive personal data like personal identity, social security information, finance, salary and household, which is closely related to citizen privacy. However, the security protection measures have fallen behind. At present, there are only few domestic government websites that have enabled HTTPS services. As the most basic security protection measure, HTTPS encryption is only applied in 10% of our government websites. The event of tens of millions of users from over 30 provinces social security information breach happened in this April reflects the security risk of our government websites. It is necessary for our government to follow the example of Britain and the US to publish policy and enhance website security protection.

Dafydd Vaughan, the technical architect of GDS, analyzed the reason of British government deploying HTTPS that “service.gov.uk standard requires all government services to be operated in secured network connections, which is known as HTTPS. This kind of connections can ensure user data is encrypted as well as the security during the interaction of user and government service. This September, we plan to submit service.gov.uk to the HSTS preloading list of all browser companies. In other words, government services can be accessed only through HTTPS by all mainstream browsers.”