GC HTTPS Everywhere/Communication Material
|ITPIN 2018-01||Implementation Strategy||Implementation Guidance||Communication Material|
Regular and consistent communication across the diverse stakeholder community will be important in achieving HTTPS everywhere compliance within each GC organization. A clear communications strategy will also reduce the likelihood of stakeholder resistance to an HTTPS everywhere migration.
The following proposes the essential communications actions required for successful implementation of GC HTTPS:
This material is provided as a starting point for discussions with business and technical partners depending on the scenario/context presented. If there are other areas that need to be covered, please contact TBS via the mailbox (below) or engage in the chat on GCmessage (#HTTPSEverywhere-HTTPSpartout).
My Site Is Only Accessible Internally
The HTTPS ITPIN is only applicable to externally focused public websites and web services. Your site is out of scope of this direction, however you are still recommended to consider implementing HTTPS.
Can I Still Serve My Site Over HTTP If I Also Have HTTPS?
No, all publicly available websites should only offer HTTPS connections by September 30, 2019. Any HTTP connections should be permanently redirected to the HTTPS website.
My Website Works Just Fine Over HTTP
Not anymore. As of July 2018, Google Chrome will begin alerting all HTTP connections as Not Secure, with other major browsers potentially following suit. This issue presents a new reputational risk to digital services.
No Forms or Information Collected
HTTPS protects more than just form data. HTTPS keeps the URLs, headers, and contents of all transferred pages confidential.
There is Nothing Sensitive on My Site
Cyberspace is borderless, and HTTP connections are simply a liability. Just as we have no control over detours on surface roads, we have no control over the route traffic will take through the internet.
HTTPS Is Going To Slow Down My Website – Encryption Is CPU Intensive
No it's not. Sites with modern servers load faster over HTTPS than over HTTP because of HTTP/2. Over 75% of the world’s websites are now HTTPS, including the largest banks, social media sites.
My Site Is HTTP, But Our Forms Are Submitted Over HTTPS
A site using HTTP is susceptible to interception and manipulation, meaning you lose control over the actions associated with the forms you present to your users, regardless of how they’re submitted.
Certificates Are Expensive - I Don’t Have The Budget This Year.
They're free. (Let’s Encrypt)
I Don’t Have The Skillsets Or Resources To Support HTTPS
HTTPS doesn’t have to be complicated; many web servers such as Caddy are designed to be run natively with HTTPS as default now, and server configuration generators are available from organizations like Mozilla. Certificate management has been made exponentially easier with the introduction of automation for renewals.
My Site Can Still Be Impersonated, Even If I Use HTTPS
The dangers presented by impersonation online are greatly mitigated by the use of HTTPS and a properly issued certificate (one logged in certificate transparency (CT) logs, with a strong signature algorithm (at least SHA-256), from an authorized CA (CAA)).
Domain-Validated (DV) Certificates Aren't Secure
Domain Validated certificates offer the same technical security as Extended Validation (EV) certificates, and it has been shown increasingly that the promised value of EV certs has not been realized.
What If A Certificate Authority Misissues A Cert For My Site?
The GC is working to establish governance around the issuance of certificates through the use of CAA records to restrict which CAs can issue certificates for website. Until that time, the system will rely on certificate transparency and oversight to manage the infrastructure.
Phishing Sites Use HTTPS
Our Site Relies Heavily On 3rd Party Content Over HTTP
The inclusion of HTTP content from a 3rd party provider is a proven vector for attack, as you do not have control over the security of that content. Moving to HTTPS means any content included in your website should be from HTTPS-enabled sources, to avoid both mixed-content errors and the inherent vulnerabilities it presents.
HTTPS Impacts Search Engine Optimization
HTTPS improves SEO!