Lack of secure protocol puts US whistleblowers at risk, says ACLU
Quick, implement an HTTPS-only standard
Responding to the recent proposal for a "HTTPS-Only Standard", the American Civil Liberties Union has stressed the value of a more thorough and timely implementation of functional transport encryption.
The non-profit organization noted that at least 29 US federal websites do not currently use HTTPS to protect sensitive information submitted through their online "hotlines".
The US' Chief Information Officer (CIO) has now proposed a HTTPS-Only Standard, which would require HTTPS transport encryption on all publicly accessible federal websites and web services.
The Obama-appointed CIO, Tony Scott, formely of VMWare, has sent out a call for public comment.
ACLU has responded [PDF] by welcoming the new policy, as well as the office's recognition that "the American people expect government websites to be secure and their interactions with those websites to be private".
However, the ACLU writes that "we believe this deadline is not soon enough for some sensitive sites, such as those used by inspectors general, at least twenty-nine of which do not currently use HTTPS to protect reports of waste, fraud or abuse submitted via their internet hotlines. These include the inspectors general in the Departments of Justice and Homeland Security."
The ACLU added that while default HTTPS "is a great first step, agencies should be employing other encryption best practices too, such as making sure that their email servers support the use of STARTTLS transport encryption".
STARTTLS, which protects data transmitted between email servers, is widely used by the private sector, although the ACLU notes that only very few federal agencies have implemented it, notably not including the FBI, FTC, and NASA.
There are a growing number of parties suggesting the complete deprecation of HTTP and transition to a web entirely based upon HTTPS. An ongoing Mozilla developer discussion suggests a browser-based incentive for sites to begin to implement the secure protocol.
The ACLU also adds that agencies should make it easy, not difficult, for the public to anonymously access their sites.
The "leakage of certain metadata, such as the mere fact that someone is visiting a particular website [...] could be extremely sensitive and might even put [that persons'] life at risk".
It suggests a possible solution exists in the form of the Tor Project, which was initially created by the US Naval Research Lab and subsequently funded by the Department of Defense and the Department of State, and yet "several federal agency website block visitors who are using Tor".
A comment by the Electronic Frontier Foundation gives examples of how failures to deploy HTTPS put citizens at risk.
The CIO website concurs, noting that "every unencrypted HTTP request reveals information about a user’s behavior, and the interception and tracking of unencrypted browsing has become commonplace ... today, there is no such thing as insensitive web traffic, and public services should not depend on the benevolence of network operators." ®