Why HTTPS

HTTPS secured

North Carolina citizens expect government websites and applications to be secure, trustworthy and reliable. They expect anything they read on a .gov website to be official, and they expect any information they submit to that website — especially if they’re submitting personal information — to be sent safely and only to the government. 

The HTTPS protocol ( https://) provides a secure internet connection between web services and their users. Federal agencies are required to enforce HTTPS and use HSTS (HTTP Strict Transport Security) as part of the White House Office of Management and Budget's M-15-13 and the Department of Homeland Security's Binding Operational Directive 18-01.  

DIT’s Digital Commons website program enforces HTTPS for its websites. By July 31, 2018 all state government websites on the nc.gov platform will be required to use this protocol.

Benefits of HTTPS

Benefits of HTTPS

We’ve found several reasons to make the switch:

Better security. This should go without saying, but we need to protect citizens who come to our sites. Without the encrypted protocol, we put their information at risk.

Enables map geolocation. For those who use our Location listing pages, the automatic geolocation feature (zooming into a user’s area on the map) will only work from encrypted HTTPS URLs to protect visitors’ privacy.

HTTPS will soon be the standard. With more organizations migrating to HTTPS and more users expecting it, HTTPS will soon be the standard protocol of the internet — the baseline for all sites. In fact, the World Wide Web’s (W3C) Technical Architecture Group found that the web should “actively prefer secure communication” and encourage the use of HTTPS rather than HTTP.

Improved performance. Even though encryption requires additional computation, some sites actually perform better using the encrypted protocol.

Government should lead the way. As the internet community moves to HTTPS as the standard, government should be among those leading the way. We need to adapt to the changing landscape and set HTTPS as the standard for state government and internet contributors worldwide.

HTTP vs HTTPS ?

HTTP vs HTTPS ?

Hypertext Transfer Protocol (HTTP) is the protocol over which data is transferred between a browser and a website. HTTPS (HTTP Secure) is a more secure version of this transfer protocol, in which all communications between the browser and website are encrypted. 

HTTPS is the Internet’s Next Phase

HTTPS is the Internet’s Next Phase

HTTPS encrypts (almost) all information sent back and forth from a website to a user, and it verifies the identity of a website or web service. While encryption is most critical when users are submitting personal and payment information, HTTPS also prevents certain information from being read and manipulated by a third party, such as:

  • Cookies
  • URL paths
  • Form submissions
  • User-agent details
  • Query string parameters

Although HTTPS is known to protect user information, it is not a fool-proof cybersecurity safety net. For example, in the past, the HTTPS protocol indicated a site was legitimate. But due to changing internet practices and the rise of companies offering SSL certificates to all sites (including phishing sites), we can no longer rely on HTTPS to be the sole indicator of a legitimate site.

What HTTPS Doesn’t Protect

What HTTPS Doesn’t Protect

Although HTTPS protects most important information, there are a few things that even encryption can’t protect. For example, HTTPS won’t encrypt a destination URL and an IP address. Encrypted traffic can also reveal information such as how long a user was on your site. 

Federal Government’s HTTPS - Only Standard

Federal Government’s HTTPS - Only Standard

Believing all browsing data should be private and secure, the Federal Government has enacted an HTTPS-Only Standard. The standard requires all publicly accessible, federal websites to be accessed using HTTPS. Some federal websites already use the encrypted protocol, but by implementing the HTTPS-Only Standard, they are creating a consistent standard for agencies and setting a consistent expectation for citizens accessing federal websites.

What is the Migration Timeline?

What is the Migration Timeline?

Phase 1 - Discovery - In an effort to assist agencies in identifying the websites that are associated with their services. ESRMO has conducted a scan of those sites currently using the DIT Domain Name Service (DNS) infrastructure. Agencies must review the list and provide the plan to the agency’s Business Relationship Manager (BRM) by May 30, 2018.

Phase 2 - Implementation/Migration - In order to assist in the implementation phase, ESRMO has devised courses of actions that agencies may use to accomplish this task. All sites must be migrated to HTTPS by July 31, 2018.  During this phase, agencies are also required to discontinue and remove obsolete websites

What is the Communication Plan?

What is the Communication Plan?

Information on HTTPS migration for the nc.gov platform is being shared with many important stakeholders and services, including:

  • DIT leadership

  • Cabinet and Council of State CIOs

  • DIT Communications

  • DIT Business Relationship Managers

Associated Files