US government websites are taking another major step forward to becoming more secure after it was announced that all .gov TLDs would be changed to enforce HSTS preloading.
The DotGov program made the announcement on Sunday, stating that all new .gov domains will be automatically preloaded from September 1 2020. The transitioning of historical ones will take longer.
The HSTS standard ensures a user’s browser always enforces an HTTPS connection to a website, including preventing users from clicking through if the domain has a certificate error.
“For a user to take advantage of HSTS, however, their browser has to see the HSTS header on a site at least once. This means that users are not protected until after their first successful secure connection to a given domain, which may not occur in certain cases,” wrote DotGov.
“To solve this problem, a domain can be submitted to the HSTS preload list, a list of domains embedded into browsers that get HSTS enabled automatically, even for the first visit. Domains that preload protect their entire ‘namespace,’ including all current or potential subdomains.”
Although new .gov TLDs will be preloaded automatically from September, existing ones will take much longer to transition. If preloading was switched on today, those that don’t currently offer HTTPS would become inaccessible to users, DotGov warned.
The organization is collaborating with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to ensure .gov domain owners are ready for the move, but said it would take some time.
“Actually preloading is a simple step, but getting there will require concerted effort among the federal, state, local and tribal government organizations that use a common resource, but don’t often work together in this area,” it explained.
“With concerted effort, we could preload .gov within a few years.”
All US government agencies were supposed to have made their websites accessible through HTTPS-only via HSTS by the end of 2016.