263
edits
Changes
GC HTTPS Implementation Considerations (view source)
Revision as of 12:25, 5 November 2018
, 12:25, 5 November 2018→Technical Considerations
== Technical Considerations ==
== Technical Considerations ==
* '''Threat Detection and Encrypted Traffic''' – GC Organizations are concerned about how they will manage threat detection as more and more traffic flows become encrypted with HTTPS. While HTTPS provides user transmissions with privacy and security, it also presents a challenge for security personnel who are charged with ensuring that malicious content does not enter a GC organization’s IT infrastructure and that sensitive information does not leave it.
* '''Threat Detection and Encrypted Traffic''' – GC Organizations are concerned about how they will manage threat detection as more and more traffic flows become encrypted with HTTPS. While HTTPS provides user transmissions with privacy and security, it also presents a challenge for security personnel who are charged with ensuring that malicious content does not enter a GC organization’s IT infrastructure and that sensitive information does not leave it. [https://www.us-cert.gov/ncas/tips/ST18-006 Compensating website controls] provide services the security required to maintain operations and user trust.
* '''Certificates''' - The biggest weakness of the current PKI system is the fact that any CA can issue a certificate for any website in the world. Large organizations with a vast array of certificates are at higher risk of compromise as a result of malicious or accidental certificate issuance by a Certificate Authority (CA). Appendix A includes considerations for sourcing SSL certificates. Further guidance on the types of certificates and certificate authorities (CA) that should be used will be further developed in a GC Certificate Strategy paper.
* '''Certificates''' - The biggest weakness of the current PKI system is the fact that any CA can issue a certificate for any website in the world. Large organizations with a vast array of certificates are at higher risk of compromise as a result of malicious or accidental certificate issuance by a Certificate Authority (CA). Appendix A includes considerations for sourcing SSL certificates. Further guidance on the types of certificates and certificate authorities (CA) that should be used will be further developed in a GC Certificate Strategy paper.
* '''Mixed Content / Compatibility''' - When a website originally written for HTTP is moved to HTTPS, until fully migrated, resources (e.g., images, scripts, and videos) will continue to cause mixed content warnings while these resources are still being served over an insecure HTTP connection. There are a number of mixed content implementation strategies that can used to reduce the likelihood of warnings and errors and are outlined in Appendix B.
* '''Mixed Content / Compatibility''' - When a website originally written for HTTP is moved to HTTPS, until fully migrated, resources (e.g., images, scripts, and videos) will continue to cause mixed content warnings while these resources are still being served over an insecure HTTP connection. There are a number of mixed content implementation strategies that can used to reduce the likelihood of warnings and errors and are outlined in Appendix B.