From September 1st this year all US government websites that use the .gov top level domain name will be obliged to use SSL and be available over HTTPS only.
Eventually they plan to add the .gov zone to the HSTS which would make it technically obligatory to have an SSL in order for a site to load in any modern browser. When an entire domain extension is added to the HSTS every domain and subdomain has to use SSL for it to work in browsers. (You can read the full RFC here)
However getting thousands of existing sites to enable SSL is not something that can be done overnight so doing it over the next couple of years makes sense. They admit that they don’t know when they’ll be able to force all sites in .gov to use SSL, as they don’t know what kind of issues the switch could cause. I suspect there are plenty of “gotchas” that they don’t know about yet, so they’ve setup mailing lists and are planning a number of other initiatives to get the word out to government departments.
Leave a Reply