CIS Logo
tagline: Confidence in the Connected World

White House Announces Federal Websites Must Move to HTTPS

Introduction

On June 8, 2015, the White House’s Office of Management and Budget released a new policy requiring all publicly accessible Federal websites and web services to use the Hypertext Transfer Protocol Secure (HTTPS). HTTPS is currently the strongest method for protecting public web connections that contain private data. This policy was implemented to ensure that all browsing activity on Federal websites is private.

Currently, the majority of websites utilize the Hypertext Transfer Protocol (HTTP). HTTP does not protect the confidentiality of the data, leaving the communication open to interception and modification. HTTPS adds the encryption component, which provides integrity and confidentiality for the communication session.

As technology evolves, users are becoming more reliant on online web services to store their private information. As the White House’s Office of Management and Budget sets this new standard for federal websites and web services, the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) also recommends that our partner organizations adopt this policy within their organizations.

HTTPS Versus HTTP

HTTP is the most common way information is shared on the Internet. HTTP is the protocol that allows browsers such as Microsoft’s Internet Explorer, Google’s Chrome or Mozilla’s Firefox to allow users to view a website and request information from the sites web servers. HTTP data is commonly transmitted over port 80. HTTP transfers information unencrypted, leaving the traffic susceptible to network eavesdropping. Network eavesdropping is a simple attack where the malicious actor captures packets traveling between computers on the network. This method of attack is easy for malicious cyber actors to do using numerous free tools available on the Internet called network sniffers. These free tools allow the actor to obtain any data that was sent over the network, including but not limited to: passwords, cookie-based authentication credentials, website content, search terms and any other type of confidential Technical White Paper August 2015 TLP: WHITE Center for Internet Security 2 TLP: WHITE TLP: WHITE information may be distributed without restriction, subject to copyright controls. information. These tools can also aid malicious actors in man-in-the-middle (MITM) attacks that could inject information onto a targeted webpage without consent.1

For these reasons, HTTP cannot be relied upon to provide confidentiality and integrity of the communication taking place across the Internet. HTTPS was created to address these issues.

HTTPS encrypts traffic between the user’s computer and the web server. By default, HTTPS uses port 443 over Transmission Control Protocol (TCP). HTTPS is a combination between HTTP and one of two protocols used for encryption, SSL (Secure Sockets Layer) or TLS (Transport Layer Security). SSL and TLS terms are used interchangeably. However, the only difference between the two is when the SSL handshake occurs. SSL initiates the SSL handshake before making a connection to the next party, while TLS makes an unencrypted connection before initiating the SSL handshake. TLS also has more encryption options and is generally considered a more secure protocol.

Both these protocols use a method called public key encryption to encrypt the HTTP connection. Public key encryption is an asymmetric encryption method in which a public and private key pair is used to encrypt and decrypt a message. The public key is publicly available to everyone and is known by all parties, however, only the owner of the key pair knows the private key. Public keys are stored in the SSL certificate that the web server sends to the browser to identify itself. An SSL certificate is a small file that digitally binds an encryption key to the web server.2 The public key is used to encrypt the message. For more information on Private and Public Key encryption, please see our whitepaper “Private and Public Cryptography and Ransomware: https://msisac. cisecurity.org/resources/reports/documents/PublicandPrivateKeyCryptographyWhiteP aper-Dec2014_000.pdf.

Once a user on a web browser has established a secure connection with the web server, all traffic is encrypted when sent over the Internet, and decrypted locally on the participating machines. A malicious actor attempting to sniff the traffic would be able to see the traffic, however they would be unable to decrypt it. It should be noted that HTTPS has limitations and does not encrypt everything. For example, IP addresses (source and destination) and the IP in the TCP packet headers are not encrypted as this information is necessary to route traffic.3 For more information on TCP and IP packet headers, please see the following source: http://www.sans.org/securityresources/tcpip.pdf.

Man in the Middle Attacks: A Man in the Middle Attack is a type of eavesdropping where a malicious actor injects themselves into a connection between two parties. The actor then impersonates each party, allowing the actor to intercept, send and receive data as one or both of the legitimate parties.

Network eavesdropping is an unsuccessful method of attack if HTTPS is used, as the information being sent over the network is encrypted. The higher level of encryption, the less likely an attacker would be able to decrypt the content in the connection. Due to use of high-level encryption in HTTPS, injection based Man in the Middle attacks are less likely to occur because the altered injected content cannot be inserted in a timely fashion.

It can be difficult to determine which traffic should be considered sensitive, and therefore encrypted with HTTPS. For this reason, many organizations, and now the White House’s Office of Management and Budget have adopted the mindset that all web browsing activity should be considered sensitive and private.4

HTTPS Challenges

While HTTPS comes with the valuable benefit of creating a secure way of sending information over networks, it comes with a price. HTTPS requires a large amount of processing power and memory in order to encrypt the connections. This can cause the web servers to run slower than desired and legacy systems may not have the resources needed to run HTTPS. However, modern web servers generally have the resources to use HTTPS. It is recommended to ensure that web servers have enough resources for HTTPS before implementation. Proper testing of HTTPS should be done to ensure the web server is able to handle HTTPS without time delays.5

Additionally, SSL certificates are needed for nearly all HTTPS implementations. Organizations can freely create their own self-signed certificates, but the default configuration of modern browsers will not recognize these as valid due to the certificate not being signed by a trusted third-party the browser recognizes, called a certificate authority (CA). The cost of a certificate signed by a CA can vary greatly from just a few dollars to many thousands depending on a number of factors, including, but not limited to: the number of domains or subdomains the certificate will cover, the length of time the certificate will be valid for, and the extent of the validation that goes into the signing of the certificate. For instance, a certificate for a single domain with basic domain validation will almost certainly cost less than a certificate covering multiple domains and requiring Extended Validation. Extended Validation is a set of in depth criteria for confirming the identity of an organization and requires more verification than other types of validation. Due to the extra requirements to obtain, Extended Validation Certificates provide visitors to a site with more confidence that the site is who they claim to be. After the SSL certificate is acquired, implementing HTTPS can, depending heavily on the size and complexity of the website, be a time consuming task and could lead to a costly development lifecycle.

Recommendations for Implementing HTTPS

  • Implement HTTP to HTTPS 301 redirects, to ensure that each HTTP page is redirected to the HTTPS version.6
  • Test the site on all common browsers (or any browsers the target audience may be using) to ensure that the majority of users will be able to use the site properly.
  • Best practices dictate that certificates should be 2,048 bits. • Ensure that all content (including content such as advertisements) is also served over HTTPS.
  • Do not implement browser caching with HTTPS, to ensure that the client is receiving the most current version of the website and to prevent potentially sensitive data from being stored to disk. To learn how to disable browser caching, please see the following link: https://support.microsoft.com/en-us/kb/234067.
  • Best practices dictate that TLS version 1.3 or later is the most secure and ensure only secure ciphers are implemented.

References

  1. http://www.veracode.com/security/man-middle-attack
  2. https://www.globalsign.com/en/ssl-information-center/what-is-an-ssl-certificate/
  3. https://https.cio.gov/
  4. https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15- 13.pdf
  5. https://blog.nexcess.net/2014/09/03/the-pros-and-cons-of-implementing-sslhttps/
  6. https://www.hallaminternet.com/2015/migrating-website-http-https/