EFF public comment: HTTPS-Only is necessary and overdue

[jsha]

COMMENTS OF THE ELECTRONIC FRONTIER FOUNDATION REGARDING THE HTTPS-ONLY STANDARD

The Electronic Frontier Foundation (EFF) is grateful for this opportunity to respond to the request by the Office of Management and Budget (OMB) and for comments regarding The HTTPS-Only Standard. EFF is a nonprofit civil liberties organization with more than 22,000 dues-paying members. It has worked for more than 20 years to protect consumer interests, innovation, and free expression in the digital world.

HTTPS deployment in one of EFF's major topic areas. EFF's work in this area includes the SSL Observatory, a research project that catalogues existing deployment of HTTPS; Encrypt the Web, a longstanding project to encourage deployment of encryption, including a report on which major companies support various encryption technology; HTTPS Everywhere, a browser extension to help individuals discover and use the HTTPS version of websites; and Let's Encrypt, a collaboration with Mozilla to launch a free, automated certificate authority to decrease the barriers to entry in deploying HTTPS.

EFF whole-heartedly supports the federal government's adoption of this essential cybersecurity standard. We also urge all state, local, and national governments worldwide to follow suit, as soon as possible.

HTTPS, the secure version of HTTP, protects web browsing activity by encrypting and authenticating everything sent between an individual and a web server. It is rapidly replacing insecure HTTP on the Internet and security experts are making plans to provide warnings when accessing HTTP pages.

Without HTTPS, a person's browsing activity can be monitored by anyone who controls their network or simply uses the same WiFi network (using a technique called ARP poisoning). For many people, the list of possible snoops could include their employer, school, ISP, national spy agencies, parents, spouse, and/or fellow library patrons. HTTPS is not a silver bullet for all security and privacy problems, but no site can be secure or private without it.

Unfortunately, federal web sites have lagged far behind industry in implementing HTTPS. The most popular commercial web sites, like Google, Facebook, and Twitter, have used HTTPS-only for years. But many federal web sites don't implement HTTPS at all, making it impossible to access them securely. Other sites implement HTTPS, but don't make it the default. And some offer HTTPS but with out-of-date, insecure software and configurations.

Government web sites receive a wide array of confidential information. That information absolutely needs to be protected from eavesdropping. But HTTPS doesn't just protect uploaded information like social security numbers. It also protects the confidentiality of what people read. A few examples of how failure to deploy HTTPS puts citizens at risk:

• A worker downloading information about her right to organize could by spied on by their employer and subjected to reprisals.
• A veteran's affairs employee seeking to report fraud anonymously could be illegally spied on by another arm of the government and unmasked for retaliation.
• A US citizen abroad, seeking gender reassignment information from the State Department, could be outed by local network snoops and imprisoned or killed.
• An African-American denied the right to vote who seeks to make a complaint to the Justice department could be spied on and intimidated by local officials.

This is just a sample of the many protected groups who need and deserve real confidential access to government services.

Fortunately, deployment of HTTPS is easier and cheaper than it has ever been. We call on the federal government to implement the HTTPS-Only Standard as quickly as possible. State, local, and national governments worldwide should do the same.

A version of this feedback, altered to introduce the HTTPS-Only standard to our readers, is available on the EFF web site.