ashumskiy - Fotolia

White House, Apple join the fight for HTTPS encryption

News roundup: The call for ubiquitous HTTPS has grown stronger as of late; the White House and Apple are hoping to help push the movement. Plus: The cost of cybersecurity management to rise 38%; a 165% ransomware increase; gender salary gap closes?

The White House published a directive Monday requiring "all publicly accessible Federal websites and Web services only provide service through a secure connection" by Dec. 31, 2016.

Issued by Federal CIO Tony Scott, the memo named HTTPS as the HTTP successor because it is "the strongest privacy and integrity protection currently available for public Web connections."

While the benefits of HTTPS have been advocated for years, the memo noted that it will not only help ensure Web safety, but also "eliminate inconsistent, subjective determinations across agencies regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide."

Simply put, the directive stated, "All browsing activity should be considered private and sensitive."

The majority of Federal websites currently use HTTP; however, data sent over HTTP is "susceptible to interception, manipulation and impersonation." This data includes browser identity, search information and other user-submitted info. HTTP also does not protect data from interception or altercation, which could lead to eavesdropping, tracking and modification of data.

The Office of Management and Budget published a website to track the government's progress. As of May 29, only 31% of federal domains support HTTPS.

The memo pointed out both what HTTPS encryption does -- such as verifying the identity of a website and establishing encrypted connections -- and its limitations, stating IP address and destination domains are not encrypted during communications, and HTTPS only guarantees the integrity of the connections, not the systems themselves. Indeed, the TLS protocol that HTTPS relies on has a rich history of flaws well beyond exposing routing data, including the recent Logjam flaw, in which the encryption could be downgraded to a breakable state.

The directive also listed challenges and considerations to keep in mind when implementing HTTPS encryption, such as site performance, Server Name Indication, HSTS and DNSSEC.

It also briefly touched on the cost, but "affirms that tangible benefits to the American public outweigh the cost to the taxpayer."

Apple's HTTPS encryption recommendations

Also on Monday, Apple published a pre-release document on developer-related features introduced on iOS 9.

In the document, Apple described its "App Transport Security" (ATS), which allows developers to declare what domains an app needs to securely communicate with.

"ATS prevents accidental disclosure, provides secure default behavior and is easy to adopt," the pre-release said. "You should adopt ATS as soon as possible, regardless of whether you're creating a new app or updating an existing one."

Apple suggests developers use HTTPS exclusively to develop new apps. If updating an existing app, Apple recommends developers use HTTPS as much as possible and create a migration plan for the rest of the app.

While not a requirement, it forecasts an HTTPS-filled future.

HTTPS -- better late than never

The government memorandum said, "Proactive investment at the federal level will support faster Internet-wide adoption and promote better privacy standards for the entire browsing public."

While some may see the government as late to the game, it is better late than never. The government has also been seeing a backlash among its ranks, with many pushing to not strengthen encryption.

"Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards," the directive said. "This leaves Americans vulnerable to known threats, and may reduce their confidence in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position the Federal Government as a leader in Internet security."

However, many other companies have already taken great strides in this area.

Google has offered default HTTPS access for Gmail since 2010. Also in 2010, Google announced browsing would become more secure with encrypted Google Web searches.

The Electronic Frontier Foundation launched a beta of a Firefox extension called HTTPS Everywhere in 2010; the extension, "inspired by the launch of Google's encrypted search option," helps users ensure encrypted searches. Version 1 was released in 2011. It is now available for Firefox, Firefox for Android, Chrome and Opera browsers.

In 2011, Twitter added an always-on HTTPS setting. In 2012, it made the website HTTPS by default.

In 2013, Facebook started using HTTPS by default, though it offered HTTPS as an option back in 2011.

In 2014, Yahoo announced all traffic between datacenters would be encrypted, and it enabled encryption of mail between its servers and other providers.

In August 2014, Google furthered the push for HTTPS, announcing it was going to start using HTTPS to rank searches; sites with HTTPS would rank higher than those with just HTTP.

In other news

  • When it comes to privacy professionals, men and women are on a pretty equal playing field -- at least when certified. The International Association of Privacy Professionals, which released its 2015 salary survey Tuesday, found little difference between the sexes. The privacy profession is split 50/50, with the average age male being 44 and female 45. According to the 1,253 "IAPP Salary and Governance Survey" respondents, the median salary of those not certified was $110,000 for women versus $127,000 for their male counterpart. However, when it came to holding any certification, the numbers jumped to $130,000 and $131,000, respectively. When an IAPP certification was involved, average salary rose to $132,500 and $135,500. In the United States, the median salary was $125,000 for women, versus $130,000 for males. In the U.K., salaries averaged $92,600 for women and $100,100 for males. However, the survey notes, "There is still work to be done. There remains a large gap in salary when you look at the 15% of respondents who have more than 15 years of experience." In this instance, women with 15+ years' experience made $156,300 versus $181,000 for men.
  • The cost of managing cybersecurity risks is set to increase 38% over the next 10 years, according to an in-depth report released Wednesday by RAND Corporation and Juniper Networks Inc. The reason for this increase, researchers claimed, is not necessarily the cost of a breach, but rather the failure of organizations to keep pace with hackers in terms of tools and expertise. "Most of the increase is … from the cost of increasing the efforts to restrain the losses from cyberattacks, (such as) tools, training, restricting BYOD/smart devices and air-gapping." Researchers who wrote the "The Defender's Dilemma" report predicted the effectiveness of countermeasure tools to dip 65% over the next 10 years; "half of all the tools used in any one year are subject to countermeasures as hackers adapt if and when such tools become popular," researchers wrote. The report also found that despite increased spending on cybersecurity tools, many CISOs believe attackers will continue to gain on their defenses.
  • Intel Security released Monday its "McAfee Labs Threat Report: May 2015," in which researchers confirmed the company's November 2014 prediction that "ransomware will evolve its methods of propagation, encryption and the targets it seeks." The increase, the report purported, is due to new ransomware families that have emerged "with a vengeance." CTB-Locker and its "underground 'affiliate' program" quickly "flooded the market with phishing campaigns," which led to a number of CTB-Locker infections. Researchers saw a "massive increase" in ransomware samples in Q1 as a result. New variants of CryptoWall, TorrentLocker and BandarChor -- as well as a new ransomware family called Teslacrypt -- all surfaced in Q1 2015, creating a 165% increase in ransomware over Q4 2015. Researchers expect new variants and families of ransomware to inevitably appear in the future, along with new techniques and functionality. Researchers also found a 317% increase in new Adobe Flash malware samples detected in Q1 2015 versus Q4 2014, namely because it is installed on many platforms and "there are many known, unpatched vulnerabilities and exploits are often hard to detect."

Next Steps

Ready to make the switch to HTTPS? Learn more here.

Find out more about women in infosec, the cost of cybersecurity and protecting data from ransomware.

Dig Deeper on Web application and API security best practices