加载中

The American people expect government websites to be secure and their interactions with those websites to be private. Hypertext Transfer Protocol Secure (HTTPS) offers the strongest privacy protection available for public web connections with today’s internet technology. The use of HTTPS reduces the risk of interception or modification of user interactions with government online services.

This proposed initiative, “The HTTPS-Only Standard,” would require the use of HTTPS on all publicly accessible Federal websites and web services.

We encourage your feedback and suggestions.

美国人民希望政府网站是安全的,并且他们在这些网站的访问是作为隐私被保护的。HTTPS协议用当今的因特网技术为公共网络连接提供了最强的隐私保护。HTTPS的使用降低了用户在使用政府在线服务时被截获和被修改的风险。

这个建议的动机,“HTTPS-only标准”,会要求所有可公开访问的联邦网站和网络服务使用HTTPS。

我们鼓励你的反馈和建议

Goal

All publicly accessible Federal websites and web services [1] only provide service over a secure connection. The strongest privacy protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS).

Background

The unencrypted HTTP protocol does not protect data from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data. Many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of Federal websites and services deserve the same protection.

目标

所有可公开访问的联邦网站和web服务[1]只通过一个安全的连接提供服务。目前公共网络连接可用的最强的隐私保护就是HTTPS协议。

背景

未被加密过的HTTP协议不能避免数据被截获或者修改,会导致用户窃听,追踪以及修改收到的数据。许多商业组织已经采用了HTTPS协议或者HTTPS-only政策来保护访问他们网站和服务的用户。访问联邦网站和服务的用户也应该有同样的保护。

Private and secure connections are becoming the Internet’s baseline, as expressed by the policies of the Internet’s standards bodies, popular web browsers, and the Internet community of practice. The Federal government must adapt to this changing landscape, and benefits by beginning the conversion now. Proactive investment at the Federal level will support faster internet-wide adoption and promote better privacy standards for the entire browsing public.

The majority of Federal websites use HTTP as the primary protocol to communicate over the public internet. Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services. Data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information.

隐私和安全连接正在成为因特网的基准,正如被因特网标准体的政策,流行的网络浏览器,以及有实践的因特网公司所证明的那样。联邦政府必须适应这种变化,以及转变的开始的收益。联邦级别主动的投资会加快整个互联网范围的采纳,以及为整个公众浏览提升更好的隐私标准。

大部分的联邦网站使用的HTTP协议作为主要的传输协议,用于公共网络的通讯。没有加密过的HTTP连接创建了一个隐私漏洞,并且暴露了没有加密过的联邦网站和服务的用户的潜在的敏感信息。通过HTTP发送的数据很容易被窃取,修改以及模拟。这个数据包括浏览器识别,站点内容,搜索条目,以及其他用户提交的信息。

All browsing activity should be considered private and sensitive.

An HTTPS-Only standard will eliminate inconsistent, subjective decision-making regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide.

Federal websites that do not use HTTPS will not keep pace with privacy and security practices used by commercial organizations, or with current and upcoming Internet standards.  This leaves Americans vulnerable to known threats, and reduces their confidence in their government.  Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area.  The proposed HTTPS-only standard will provide the public with a consistent, private browsing experience and position the Federal government as a leader in Internet security.

所有正在被浏览的活动都应该是隐私的和敏感的

HTTPS-only这条标准会消除不一致,主观决定是依照于在通常情况下,哪些内容或者浏览活动是敏感的,以及创建一个更强大的政府范围的隐私标准。

那些不使用HTTPS的联邦网站,将无法与那些实践了隐私和安全的商业组织,或者当前以及即将到来的因特网标准保持同步。这会导致美国人在那些已知的威胁面前更加脆弱,这会降低对政府的信任。尽管一些联邦站点目前使用HTTPS,但是在这个领域没有一个统一的政策。这个被提议的HTTPS-only标准会提供给公众一个一致的,隐私的浏览体验以及会将联邦政府推到一个领导互联网安全的高度。

What HTTPS Does

HTTPS verifies the identity of a website or web service for a connecting client, and encrypts nearly all information sent between the website or service and the user. Protected information includes cookies, user agent details, URL paths, form submissions, and query string parameters. HTTPS is designed to prevent this information from being read or changed while in transit.

HTTPS is a protocol that uses HTTP over a connection secured with Transport Layer Security (TLS). TLS is a network protocol that establishes an encrypted connection to an authenticated peer over an untrusted network.

Browsers and other HTTPS clients are configured to trust a set of certificate authorities [2] that can issue cryptographically signed certificates on behalf of web service owners. These certificates communicate to the client that the web service host demonstrated ownership of the domain to the certificate authority at the time of certificate issuance. This prevents unknown or untrusted websites from masquerading as a Federal website or service.

HTTPS什么

HTTPS 为连接的客户端验证网站或Web服务的身份,并将几乎所有在网站或服务和用户之间发送的信息进行加密。受保护的信息包括cookie,用户代理信息,URL路径,表单提交,查询字符串参数。HTTPS 是为了防止在运输过程中这些信息被读取或改变。

HTTPS 是在传输层安全(TLS)连接上使用 HTTP 协议。TLS 是一个网络协议,建立一个与被验证过的对象在一个不安全的网络中建立加密连接。

浏览器和其他 HTTPS 客户端都是配置相信证书授权机构[2],这些机构可以代表Web服务方发布加密签名证书。这些证书会被发送到客户端,在证书签发的时候,Web服务的主机会向证书授权机构证明自己的属主身份。这可以避免未知的或不可信的网站伪装成一个联邦网站或服务。

What HTTPS Doesn’t Do

HTTPS has several important limitations.

IP addresses and destination domain names are not encrypted during communication. Even encrypted traffic can reveal some information indirectly, such as time spent on site, or the size of requested resources or submitted information.

HTTPS only guarantees the integrity of the connection between two systems, not the systems themselves. It is not designed to protect a web server from being hacked or compromised, or to prevent the web service from exposing user information during its normal operation. Similarly, if a user’s system is compromised by an attacker, that system can be altered so that its future HTTPS connections are under the attacker’s control. The guarantees of HTTPS may also be weakened or eliminated by compromised or malicious certificate authorities.

HTTPS不做什么

HTTPS有一些重要的限制。

目的地IP地址和域名在传输的时候是不加密的。即使加密过的流量也可以间接地透露一些信息,如在网站停留的时间,所请求的资源或提交的信息大小。

HTTPS可以保证两个系统连接之间的完整性,而不是系统本身。它不是设计用来保护Web服务器免受黑客攻击或侵害,或防止Web服务暴露其用户信息。同样,如果用户的系统是被攻击者侵害了,这个系统会被修改,之后的HTTPS连接都是在攻击者的控制之下。被侵害的或恶意的证书授权机构同样会削弱或者减少HTTP的保护。

Challenges and Considerations

Site Performance: While encryption adds some computational overhead, modern software and hardware can handle this overhead without substantial deleterious impact on server performance or latency. Websites whose content delivery networks or server software support the SPDY or HTTP/2 protocols, which require HTTPS in some major browsers, may find their site performance substantially improved overall as a result of migrating to HTTPS.

Server Name Indication: The Server Name Indication extension to TLS allows for more efficient use of IP addresses when serving multiple domains. However, these technologies are not supported by some legacy clients. Web service owners should evaluate the feasibility of using this technology to improve performance and efficiency.

挑战与思考

网站性能:虽然加密会添加一些计算开销,但是对现代的软件和硬件服务器的性能或延迟并无实质性影响。内容传输网络或服务器软件支持SPDY或HTTP/2协议(一些大的浏览器要求HTTP2)的网站,可能发现他们网站的性能在迁移到HTTPS后有了很大的提升。

域名指示:当使用于多域名时,扩展于TLS的域名指示允许更高效的使用IP地址。然而,这些技术不为旧的客户端所支持。Web服务的所有者应评估采用这种技术的可行性来提高性能和效率。

Mixed Content: Websites served over HTTPS need to ensure that all external resources (images, scripts, fonts, iframes, etc.) are also loaded over a secure connection. Modern browsers will refuse to load many insecure resources referenced from within a secure website. When migrating existing websites, this can involve a combination of automated and manual effort to update, replace, or remove references to insecure resources. For some websites, this can be the most time consuming aspect of the migration process.

APIs and Services: Web services that serve primarily non-browser clients, such as web APIs, may require a more gradual and hands-on migration strategy, as not all clients can be expected to be configured for HTTPS connections or to successfully follow redirects.

混合内容:通过HTTPS提供服务的网站,需要确保所有外部资源(图片、脚本、字体等)也是以安全链接载入的。现代浏览器会拒绝从一个安全网站引用非安全的资源。当迁移现有的网站的时候,对非安全资源的更新、替换或者移除引用,会牵涉到自动的和手动的(额外)付出。对有些网站来说,这可能是迁移网站最耗时的步骤。

API和服务:Web服务主要还是为非浏览器客户端提供服务的,比如那些Web API,它需要一种更为渐进和手动的迁移策略,因为不是所有的客户端都可以被假设为为HTTPS链接作好了配置,或者可以成功地执行重定向的。

Planning for Change: Protocols and web standards improve regularly, and security vulnerabilities can emerge that require prompt attention. Federal websites and services should deploy HTTPS in a manner that allows for rapid updates to configuration and replacement of certificates.

Strict Transport Security: Websites and services available over HTTPS must enable HTTP Strict Transport Security (HSTS) to instruct compliant browsers to assume HTTPS going forward. This reduces insecure redirects, and protects users against attacks that attempt to downgrade connections to plain HTTP. Once HSTS is in place, domains can be submitted to a “preload list” used by all major browsers to ensure the HSTS policy is in effect at all times.

Domain Name System Security (DNSSEC): This proposal does not rescind or conflict with M-08-23, “Securing the Federal Government’s Domain Name System Infrastructure”. Once DNS resolution is complete, DNSSEC does not ensure the privacy or integrity of communication between a client and the destination IP. HTTPS provides this additional security.

规划变更:协议和Web标准定期改进以及安全漏洞的出现,都需要及时关注。联邦网站和服务应以允许快速更新配置和更换证书的方式来部署 HTTPS。

严格的传输安全:支持 HTTPS 的网站和服务必须开启 HTTP 严格传输安全(HSTS)来控制标准的浏览器一直使用 HTTPS 协议。这减少了不安全的重定向,并保护用户阻止那些试图将当前的连接降为简单 HTTP 连接的企图。一旦HSTS启用,域名可以提交到一个被所有主要浏览器使用的“预载列表”的来确保 HSTS 策略在任何时间生效。

域名系统安全协议(DNSSEC): 这个建议不撤销 M-08-23 或与之冲突,M-08-23 是“保护联邦政府的域名系统基础设施”。一旦 DNS 解析完成,DNSSEC 并不保证客户和目的 IP 之间通信的保密性或完整性。HTTPS 提供这种额外的安全。

Cost Effective Implementation

Implementing an HTTPS-only standard does not come without cost. A significant number of Federal websites have already deployed HTTPS. The goal of this proposal is to increase that adoption.

The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time. The development burden will vary substantially based on the size and technical infrastructure of a site. The proposed compliance timeline provides sufficient flexibility for project planning and resource alignment.

有成本效率的实施

实施一个HTTPS唯一标准必须付出代价。大量的联邦网站已经部署了 HTTPS。该方案的目标是为了推广这种应用。

联邦政府网站采用统一的 HTTPS 需要有管理和财政负担,这包括开发时间,获得证书的财务成本,长期的维护费用。开发的成本是跟一个网站的规模和技术基础设施紧密相关。建议的合规时间表给项目规划和资源准备提供了足够的灵活性。

返回顶部
顶部