Government agencies enable HTTP Strict Transport Security for public websites

Share This Page

I’m pleased to announce that the FTC has joined a number of other federal agencies in deploying additional security best practices for our public consumer websites: donotcall.gov, ftccomplaintassistant.gov, and hsr.gov.

The websites, which already employ HTTPS encryption, have enabled a feature known as HTTP Strict Transport Security (HSTS) which hardcodes all future communications to be encrypted by default. The result is that when visitors attempt to visit the Do Not Call Registry by entering "donotcall.gov" or clicking a link to http://donotcall.gov, HSTS-enabled browsers will automatically encrypt the connection without any additional instruction from the website. This small tweak reduces the potential for an attacker to maliciously redirect (downgrade) their connection or impersonate an FTC website when connecting from an insecure networks and open Wi-Fi hotspots.

The cross agency effort was motivated by the GSA's 18F team which you can read about here.

This is part of an ongoing effort by federal agencies to improve their websites. Watch this space for future updates.

The author’s views are his or her own, and do not necessarily represent the views of the Commission or any Commissioner.

Comments

dear ftc, how does this protect th e back end of your systems? what if an attacker comprom ises the back end?

also, can you share how man y times a 'man-in-the-middle' attack was an issue for ftc?

Pages

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.