Come October, all Government Digital Services (GDS) websites will switch to mandatory HTTPS encryption. Some would say it’s about time too.
In a recent blog post, Dafydd Vaughan, technical architect at the UK GDS revealed that all government domains will use HTTPS encryption. Furthermore, the domains and all services will be required to publish a DMARC (Domain-based Message Authentication, Reporting and Conformance) policy that would be applicable to their email system.
The service.gov.uk standards require all government services to run on secure connections, known as ‘HTTPS’. This type of connection makes sure user data is encrypted and stays secure while users interact with your service.
He also added that the services will mandatorily use HTTP Strict Transport Security (HSTS). The setting will ensure that modern browsers only use secure connections and information that will only be sent in an encrypted manner.
Furthermore, services that are only available via unsecured connections will no longer be supported by modern browsers after October 1. This forces a transition to more secure systems and the GDS has published guidance to help with a smooth transition. A guide on how to implement secure email practices including DMARC is also published and available online.
In no uncertain terms, Vaughan wrote:
Many services will collect personal information from users. It’s very important that this information can’t be intercepted by malicious third parties as it travels over the internet.
Therefore, all services accessed through service.gov.uk domains (including APIs) MUST only be accessible through secure connections. For web-based services this means HTTPS only (often referred to by the acronyms TLS or SSL, which both refer to the protocol underpinning these secure connections). Services must not accept HTTP connections under any circumstances.
The foray into implementing HTTPS encryption is a part of a wider global movement to embrace better encryption and security standards. Yahoo was among the earliest adopters among the traditionally big websites, switching Yahoo Mail to all HTTPS in October 2013.
Google is also among the flagbearers for the HTTPS standard, revealing that websites with HTTPS encryption will rank higher on its search pages.
Apple will be mandating that developers secure iOS apps with HTTPS from 2017.