Protecting user privacy is an important aspect and duty of any public service organization, and Hypertext Transfer Protocol Secure (HTTPS) is a fundamental component of online digital government security.
In this context, it’s important to note that, starting in October 2017, visitors to non-secure government website forms using Google Chrome will receive a “Not secure” message indicating the site cannot be fully trusted to protect user privacy.
What is HTTPS
HTTPS is web security protocol or security certificate that validates and ensures privacy protections are adhered to.
As the U.S. federal government states, HTTPS guarantees:
- Confidentiality. The visitor’s connection is encrypted, obscuring URLs, cookies, and other sensitive metadata.
- Authenticity. The visitor is talking to the “real” website, and not to an impersonator or through a “man-in-the-middle”.
- Integrity. The data sent between the visitor and the website has not been tampered with or modified.
HTTPS and government
The U.S. federal government is taking an active role in bringing .gov awareness to and encouraging adoption of HTTPS, saying, “The American people expect government websites to be secure and their interactions with those websites to be private.”
According to analytics.usa.gov, 44.5% of visitors over the past 90 days used Google Chrome to access federal government websites. According to the General Services Administration, currently 75% of federal government websites support HTTPS protocol.
Google Chrome and HTTPS
In September 2016, the Google Chromium project announced its intention to facilitate a more secure web that included a pathway to HTTPS everywhere and, in January, began taking steps to implement this.
Google Chrome currently provides three different security indicators in the browser URL bar:
- Info Info or Not secure
- Dangerous Not secure or Dangerous
In April 2017, Google announced that, starting October 2017, Chrome users will begin to see the ‘Not Secure’ indicator in the following instances:
- The user is browsing in Chrome incognito mode.
- The page contains a password field.
- The user interacts with any input field.
Starting in October 2017, visitors to these pages on government websites will receive this “Not Secure” message:
According to the Chromium project, “there is no target date for the final state yet, but we intend to mark all HTTP pages as non-secure in the long term.” Eventually, visitors to government website pages that are not HTTPS-enabled will receive this message and indicator:
What you should do today
Luckily, adding a valid Secure Sockets Layer (SSL) certificate to your website is not as difficult as it used to be.
Let’s Encrypt offers free SSL certificates that are trusted in all major browsers, including Chrome. You will need shell to install their software package, and then provision your certificate, and it will automatically renew every 90 days. Some hosting providers also support Let’s Encrypt out of the box.
If you don’t have root access you can typically install a SSL certificate from your website hosting control panel. Some web hosts may require upgrading your hosting package to allow SSL certificate installation. Choose an affordable SSL certificate and go through the installation process. You will need to validate ownership of your url by email, editing DNS settings, or uploading a file to your server.
ProudCity and government HTTPS
User privacy and security is extremely important to us, and HTTPS is automatically included as part of ProudCity Safe offering for every government website hosted on the ProudCity platform. We proudly use Let’s Encrypt to support this service.