RIP, HTTP

In a June 8 memo, the Office of Management and Budget finalized an HTTPS-only standard for federal websites, ditching the insecure HTTP of the past.

The unencrypted HTTP protocol -- which most federal sites currently use – “does not protect data from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data,” the OMB memo notes. “An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position the Federal Government as a leader in Internet security.”

"As we've said before, every .gov website, no matter how small, should give its visitors a secure, private connection," the General Services Administration's 18F spokespersons blogged about the announcement. "We're thrilled to see HTTPS become the new baseline for federal web services."

For guidance on the HTTPS migration, agencies can look to https://https.cio.gov/ -- agencies must bring all sites and services into the HTTPS fold by Dec. 31, 2016.