July 6, 2016 by

UK Govt Websites Switch to HTTPS Encryption

Come October, all Government Digital Services (GDS) websites will switch to mandatory HTTPS encryption. Some would say it’s about time too.

In a recent blog post, Dafydd Vaughan, technical architect at the UK GDS revealed that all government domains will use HTTPS encryption. Furthermore, the domains and all services will be required to publish a DMARC (Domain-based Message Authentication, Reporting and Conformance) policy that would be applicable to their email system.
Vaughan stated:
The service.gov.uk standards require all government services to run on secure connections, known as ‘HTTPS’. This type of connection makes sure user data is encrypted and stays secure while users interact with your service.
He also added that the services will mandatorily use HTTP Strict Transport Security (HSTS). The setting will ensure that modern browsers only use secure connections and information that will only be sent in an encrypted manner.
Furthermore, services that are only available via unsecured connections will no longer be supported by modern browsers after October 1. This forces a transition to more secure systems and the GDS has published guidance to help with a smooth transition. A guide on how to implement secure email practices including DMARC is also published and available online.
In no uncertain terms, Vaughan wrote:

Many services will collect personal information from users. It’s very important that this information can’t be intercepted by malicious third parties as it travels over the internet.

Therefore, all services accessed through service.gov.uk domains (including APIs) MUST only be accessible through secure connections. For web-based services this means HTTPS only (often referred to by the acronyms TLS or SSL, which both refer to the protocol underpinning these secure connections). Services must not accept HTTP connections under any circumstances.
The foray into implementing HTTPS encryption is a part of a wider global movement to embrace better encryption and security standards. Yahoo was among the earliest adopters among the traditionally big websites, switching Yahoo Mail to all HTTPS in October 2013.
Google is also among the flagbearers for the HTTPS standard, revealing that websites with HTTPS encryption will rank higher on its search pages.
Apple will be mandating that developers secure iOS apps with HTTPS from 2017.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Data Theft and Departing Employees – Why it Matters (Part 2)

In this article, LIFARS outlines the best practices toward protecting your organization from data...

Read more arrow_forward

SEC Publishes Guidance on Cybersecurity Breach Disclosures

In the aftermath of the sweeping, infamous breach of Equifax, the SEC has now provided additional...

Read more arrow_forward

Popular Freeware Site Download.com Found Hosting Bitcoin Stealing Malware

A dangerous bitcoin stealing malware that swaps user accounts with that of the attacker was...

Read more arrow_forward