Accurate, Focused Research on Law, Technology and Knowledge Discovery Since 2002

Government agencies enable HTTP Strict Transport Security for public websites

Ashkan Soltani, Chief Technologist, FTC: “I’m pleased to announce that the FTC has joined a number of other federal agencies in deploying additional security best practices for our public consumer websites: donotcall.gov, ftccomplaintassistant.gov, and hsr.gov.: ” The websites, which already employ HTTPS encryption, have enabled a feature known as HTTP Strict Transport Security (HSTS) which hardcodes all future communications to be encrypted by default. The result is that when visitors attempt to visit the Do Not Call Registry by entering “donotcall.gov” or clicking a link to http://donotcall.gov, HSTS-enabled browsers will automatically encrypt the connection without any additional instruction from the website. This small tweak reduces the potential for an attacker to maliciously redirect (downgrade) their connection or impersonate an FTC website when connecting from an insecure networks and open Wi-Fi hotspots. The cross agency effort was motivated by the GSA’s 18F team which you can read about here.”

Sorry, comments are closed for this post.