April 04, 2017
We’re Adding More Security to Your Sites with HTTPS
The internet is central to our lives and everyday behavior. We rely on it for communication, travel directions, to pay bills, and to get answers. With such dependency, we often take for granted how our information is shared over the web. And it’s not just information we voluntarily share that we should worry about. Information like location, browsing history, previously submitted data, and much more is at risk if we don’t take the right steps to protect it.
And, as a state agency, it is our responsibility to protect our citizens’ information when they come to our sites.
HTTP or HTTPS — What’s the Difference?
HTTP is the primary protocol used on the world wide web today. Without it, you wouldn’t have access to your Facebook app, email, or agency website. Unfortunately, the HTTP protocol is unencrypted, exposing any information on a site using that protocol. It also means information sent back and forth between that site and the user is trackable and vulnerable to manipulation.
If you visit a site that’s using HTTP, any information used or provided on that site can be intercepted, manipulated, and used in a malicious way. Even if you don’t submit personal information, things like search terms, web content, browser information, and other user-submitted data can be obstructed without consent. To protect users and themselves, many private sector companies have migrated to the HTTPS protocol — also known as Secure Sockets Layer, or SSL, encryption — to prevent unwarranted manipulation of their users’ information.
What HTTPS Does
HTTPS encrypts (almost) all information sent back and forth from a website to a user, and it verifies the identity of a website or web service. While encryption is most critical when users are submitting personal and payment information, HTTPS also prevents certain information from being read and manipulated by a third party, like:
- Cookies
- URL paths
- Form submissions
- User agent details
- Query string parameters
Although HTTPS is known to protect a user’s information, it is not a fool-proof cyber security safety net. For example, in the past, the HTTPS protocol indicated a site was legitimate. But due to changing internet practices and the rise of companies offering SSL certificates to all sites (including phishing sites), we can no longer rely on HTTPS to be the sole indicator of a legitimate site.
What HTTPS Doesn’t Protect
Although HTTPS protects most important information, there are a few things that even encryption can’t protect. For example, HTTPS won’t encrypt a destination URL and an IP address; and, even encrypted traffic can reveal some information like how long a user was on your site. So even with your website using HTTPS, you’ll still be able to see valuable data in your Google Analytics.
Federal Government’s HTTPS-Only Standard
Believing all browsing data should be private and secure, the Federal Government has enacted an HTTPS-Only Standard. The standard requires all publicly accessible, federal websites to be accessed using HTTPS. Some federal websites already use the encrypted protocol, but by implementing the HTTPS-Only Standard, they are creating a consistent standard for agencies and setting a consistent expectation for citizens accessing federal websites.
GeorgiaGov Platform Migrating to HTTPS
Starting this month, all GeorgiaGov platform sites will be migrating from HTTP to HTTPS.
We’ve found several reasons to make the switch:
Better security.
This should go without saying, but we need to protect citizens when they come to our sites. Without the encrypted protocol, we are putting their information at risk.Enables map geolocation.
For those of you using our Location listing pages, the automatic geolocation feature (zooming into a user’s area on the map) will only work from encrypted HTTPS URLs, in order to protect visitors’ privacy.HTTPS will soon be the standard.
With more organizations migrating to HTTPS and more users expecting it, HTTPS will soon be the standard protocol of the internet — the baseline for all sites. In fact, the World Wide Web’s (W3C) Technical Architecture Group found that the web should “actively prefer secure communication” and encourage the use of HTTPS rather than HTTP.Improved performance.
Even though encryption requires additional computation, some sites actually perform better using the encrypted protocol.Government should lead the way.
As the internet community moves to HTTPS as the standard, government should be among those leading the way. We need to adapt to the changing landscape and set HTTPS as the standard for State Government and internet contributors worldwide.
How this Affects GeorgiaGov Platform Customers
For most platform sites, our team will perform the migration and it will require no work on your part. We won’t migrate all sites at once, as we have some boxes to check before we migrate each site. For the handful of sites that require some code updates before we switch, someone from our team will be in touch with details.
In addition, the change will not affect any of your existing URLs — visits to any HTTP page will automatically redirect to its HTTPS counterpart. We will let you know once we switch the protocol for your site, and from then on, HTTPS will be your standard protocol.
A Note for Future Embedding
All images used on your site need to be stored locally (that is, uploaded to your IMCE) and linked directly from there. Any content that has a full path using http:// will not display on a page that’s using a URL path with https://. Embedded content like javascript and iframes also require an HTTPS source.
Encryption won’t safeguard against all types of internet attacks. Hacking is still possible and the ability to access personal information still looms, but those risks are heavily mitigated when we use HTTPS. Encryption is crucial in building trust with our citizens and protecting your agency’s brand.
Editor's Note: Due to feedback we received, a portion of this blog has been changed to reflect changing internet practices. Thanks to Vincent Lynch (@vtlynch) for the updated information on SSL certificates for all sites.