The US Department of Defense plans to implement HTTPS and HSTS (HTTP Strict Transport Security) for all its public-facing websites by the end of the year.
Issues about DOD websites using insecure HTTP connections or problematic SSL certificates have been raised in a letter sent earlier this year, in May, by Oregon Democrat Senator Ron Wyden.
DOD’s security woes
In the May letter, Wyden pointed out several problems with DOD’s online presence. The first and most widespread was the low use of HTTPS among the Department’s sites.
Second, was the use of SSL certificates (for supporting HTTPS) that were issued by the DOD Root Certificate Authority. Modern browsers don’t trust this certificate authority, and even if some DOD sites are served via HTTPS, browsers mark them as insecure and some block access to these DOD sites with security-related warnings.
Third, Wyden urged the DOD to implement HSTS in order to make sure that users arriving on these sites via HTTP links were being redirected to the HTTPS versions of those pages.
Wyden requested the DOD to move all sites to HTTPS, to use publicly-trusted SSL certificates instead of its homebrewed ones, and to implement HSTS. The Senator asked DOD Chief Information Officers Dana Deasy for a response by July 20.
DOD was preparing for this for several years
That response did come and was published online last week. In the response to Wyden’s letter, Deasy outlined a plan to conform with the Senator’s wishes.
Deasy said that the DOD has been working on moving most of its online properties to secure communications channels for the past 2-3 years, an initiative that was at the base of a Department of Homeland Security Binding Operational Directive (BOD 18-01) published at the end of last year.
BOD 18-01 includes several phases and action plans for moving sites to HTTPS and HSTS, using STARTTLS and DMARC to secure email servers, and contracting a commercial PKI infrastructure for the issuance of SSL certificates.
Deasy says that according to BOD 18-01, the HTTPS and HSTS rollout has a planned target of December 31, 2018, a date by which all DOD websites should be using proper encryption.
The contracting of a commercial PKI infrastructure is scheduled to finish by October 31, 2018, while the STARTTLS and DMARC rollout for email servers began in 2017 and is scheduled to complete by December 2018.
In the past year, Wyden has sent letters to US officials asking for US government agencies to deploy ad-blocking technologies to prevent malware infections via malvertising attacks, and to remove Flash from government sites and employee computers.