The US government’s DotGov Program has announced that new .gov sites will only be accessible via HTTPS and that they will automatically be preloaded starting on September 1, 2020.
The program is overseen by the US General Services Administration (GSA) which operates the .gov top-level domain (TLD). The GSA also provides .gov domains to US-based government organizations from federal agencies to local municipalities.
In an announcement on its website, the DotGov Program explained the reason behind its decision to preload the .gov domain, saying:
“We believe the security benefits that come from preloading are meaningful and necessary to continue meeting the public’s expectation of safety on .gov services. We believe that government websites should always be secure.”
Preloading the .gov TLD
Following their move from HTTP to the HTTPS protocol, US government sites will secure visitors’ connections using Transport Layer Security (TLS) protocol. This will encrypt any data that is exchanged and also protect users against man-in-the-middle attacks.
Although DotGov will preload the .gov TLD in September of this year, it will not be submitted to the HTTP Strict Transport Security (HSTS) preload list until a later date as doing so would make government sites that currently use HTTPS inaccessible.
HSTS is a web server directive which tells web browsers to only connect using secure HTTPS connections. Web browsers bundle an HSTS preload list containing the names of all sites known to support secure connections so that browsers don’t connect to them using an insecure protocol.
In a blog post, the DotGov Program provided further insight on what preloading the .gov TLD will entail, saying:
“Actually preloading is a simple step, but getting there will require concerted effort among the federal, state, local and tribal government organizations that use a common resource, but don’t often work together in this area. With concerted effort, we could preload .gov within a few years.”
To go about preloading the .gov TLD, the DotGov Program is currently collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) to ensure that .gov domain owners are ready for their domains to be preloaded in the future. Also beginning on September 1, all new .gov domains will be automatically preloaded so that the program can focus on transitioning historical domains and not new ones to HTTPS.
Via BleepingComputer
