SlideShare a Scribd company logo

OMB M 15-13, Policy to Require Secure Connections across Federal Websites and Web Services

DigitalGov from General Services Administration
DigitalGov from General Services Administration

OMB Memo 15-13 Policy to Require Secure Connections across Federal Websites and Web Services

Government & Nonprofit
1 of 5
Download to read offline
EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 June 8, 2015 M-15-13 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEP FROM: Tony Scott Federal ChiefInformation Officer SUBJECT: Policy to Require Secure Connections across Federal Websites and Web Services This Memorandum requires that all publicly accessible Federal websites and web services1 only provide service through a secure connection. The strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS). This Memorandum expands upon the material in prior Office ofManagement and Budget (OMB) guidance found in M-05-042 and relates to material in M-08-233 . It provides guidance to agencies for making the transition to HTTPS and a deadline by which agencies must be in compliance. Background The unencrypted HTTP protocol does not protect data from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data. The majority ofFederal websites use HTTP as the as primary protocol to communicate over the public internet. Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users ofunencrypted Federal websites and services. Data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information. 1 Publicly-accessible websites and services are defined here as online resources and services available over HTTP or HTTPS over the public internet that are maintained in whole or in part by the Federal Government and operated by an agency, contractor, or other organization on behalf of the agency. They present government information or provide services to the public or a specific user group and support the performance of an agency's mission. This definition includes all web interactions, whether a visitor is logged-in or anonymous. 2 https://www.whitehouse.gov/sites/default/files/omb/memoranda/fv2005/m05-04.pdf "Policies for Federal Agency Public Websites" 3 https://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf "Securing the Federal Government's Domain Name System Infrastructure." 1
To address these concerns, many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of Federal websites and services deserve the same protection. Private and secure connections are becoming the Internet's baseline, as expressed by the policies ofthe Internet's standards bodies4 , popular web browsers, and the Internet community ofpractice. The Federal government must adapt to this changing landscape, and benefits by beginning the conversion now. Proactive investment at the Federal level will support faster internet-wide adoption and promote better privacy standards for the entire browsing public. All browsing activity should be considered private and sensitive. An HTTPS-Only standard will eliminate inconsistent, subjective determinations across agencies regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide. Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and may reduce their confidence· in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position the Federal Government as a leader in Internet security. What HTTPS Does HTTPS verifies the identity ofa website or web service for a connecting client, and encrypts nearly all information sent between the website or service and the user. Protected information includes cookies, user agent details, URL paths, form submissions, and query string parameters. HTTPS is designed to prevent this information from being read or changed while in transit. HTTPS is a combination ofHTTP and Transport Layer Security (TLS). TLS is a network protocol that establishes an encrypted connection to an authenticated peer over an untrusted network. Browsers and other HTTPS clients are configured to trust a set of certificate authorities5 that can issue cryptographically signed certificates on behalfofweb service owners. These certificates communicate to the client that the web service host demonstrated ownership ofthe domain to the certificate authority at the time of certificate issuance. This prevents unknown or untrusted websites from masquerading as a Federal website or service. 4 https://w3ctag.github.io/web-https/ "The World Wide Web Consortium (W3C)" https://www.internetsociety.org/news/internet-societv-comm·ends-internet-architecture-board­ recommendation-encrvption-defauIt "Internet Society" 5 In the context of HTIPS on the web, a certificate authority is a third party organization or company trusted by browsers and operating systems to issue digital certificates on behalf of domain owners. 2
What HTTPS Doesn't Do HTTPS has several important limitations. IP addresses and destination domain names are not encrypted during communication. Even encrypted traffic can reveal some information indirectly, such as time spent on site, or the size ofrequested resources or submitted information. HTTPS-only guarantees the integrity ofthe connection between two systems, not the systems themselves. It is not designed to protect a web server from being hacked or compromised, or to prevent the web service from exposing user information during its normal operation. Similarly, if a user's system is compromised by an attacker, that system can be altered so that its future HTTPS connections are under the attacker's control. The guarantees of HTTPS may also be weakened or eliminated by compromised or malicious certificate authorities. Challenges and Considerations Site Performance: While encryption adds some computational overhead, modern software and hardware can handle this overhead without substantial deleterious impact on server performance or latency.6 Websites with content delivery networks or server software that supports the SPDY or HTTP/2 protocols, which require HTTPS in some major browsers, may find their site performance substantially improved as a result of migrating to HTTPS. Server Name Indication: The Server Name Indication extension to TLS allows for more efficient use ofiP addresses when serving multiple domains. However, these technologies are not supported by some legacy clients.7 Web service owners should evaluate the feasibility of using this technology to improve performance and efficiency. Mixed Content8 : Websites served over HTTPS need to ensure that all external resources (images, scripts, fonts, iframes, etc.) are also loaded over a secure connection. Modern browsers will refuse to load many insecure resources referenced from within a secure website. When migrating existing websites, this can involve a combination of automated and manual effort to update, replace, or remove references to insecure resources. For some websites, this can be the most time consuming aspect ofthe migration process. APis and Services9: Web services that serve primarily non-browser clients, such as web APis, may require a more gradual and hands-on migration strategy, as not all clients can be expected to be configured for HTTPS connections or to successfully follow redirects. Planning for Change: Protocols and web standards improve regularly, and security vulnerabilities can emerge that require prompt attention. Federal websites and services should deploy HTTPS in a manner that allows for rapid updates to certificates, cipher choices 6 https://istlsfastyet.com 7 https://https.cio.gov/sni/ 11 Server Name Identification" 8 https://https.cio.gov/mixed-content/ 11 Mixed Content" 9 https://https.cio.gov/apis/'Migrating APis" 3
(including forward secrecy10 ) protocol versions, and other configuration elements. Agencies should monitor https.cio.gov and other public resources11 to keep apprised of current best practices. Strict Transport Security: Websites and services available over HTTPS must enable HTTP Strict Transport Security (HSTS)12 to instruct compliant browsers to assume HTTPS going forward. This reduces the number ofinsecure redirects, and protects users against attacks that attempt to downgrade connections to plain HTTP. Once HSTS is in place, domains can be submitted to a "preload list"13 used by all major browsers to ensure the HSTS policy is in effect at all times. Domain Name System Security (DNSSEC): The new policy outlined in this Memorandum does not rescind or conflict with M-08-23, "Securing the Federal Government's Domain Name System Infrastructure."14 Once DNS resolution is complete, DNSSEC does not ensure the privacy or integrity of communication between a client and the destination IP. HTTPS provides this additional security. Cost Effective Implementation Implementing an HTTPS-only standard does not come without a cost. A significant number ofFederal websites have already deployed HTTPS. The goal ofthis policy is to increase that adoption. The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost ofprocuring a certificate and the administrative burden ofmaintenance over time. The development burden will vary substantially based on the size and technical infrastructure of a site. The compliance timeline, outlined in this Memorandum, provides sufficient flexibility for project planning and resource alignment. OMB affirms that tangible benefits to the American public outweigh the cost to the taxpayer. Even a small number ofunofficial or malicious websites claiming to be Federal services, or a small amount of eavesdropping on communication with official U.S. government sites could result in substantial losses to citizens. Technical assistance provided at https://HTTPS.cio.gov will aid in the cost-effective implementation ofthis policy. 10 https:Uhttps.cio.gov/technical-concepts/#forward-secrecy "Forward Secrecy" 11 https:Uhttps.cio.gov/resources/"Resources" 12 https://https.cio.gov/hsts, "Strict Transport Security" 13 https:Uhstspreload.appspot.com 14 https://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf "Securing the Federal Government's Domain Name System Infrastructure." 4
Guidelines In order to promote the efficient and effective deployment ofHTTPS, the timeframe for compliance, outlined below, is both reasonable and practical. This Memorandum requires that Federal agencies deploy HTTPS on their domains using the following guidelines. • Newly developed websites and services at all Federal agency domains or subdomains must adhere to this policy upon launch. • For existing websites and services, agencies should prioritize deployment using a risk­ based analysis. Web services that involve an exchange ofpersonally identifiable information (PII), where the content is unambiguously sensitive in nature, or where the content receives a high-level oftraffic should receive priority and migrate as soon as possible. • Agencies must make all existing websites and services accessible through a secure connection15 (HTTPS-only, with HSTS) by December 31, 2016. • The use ofHTTPS is encouraged on intranets16 , but not explicitly required. To monitor agency compliance, a public dashboard has been established at https://pulse.cio.gov. Technical Assistance Please visit https://HTTPS.cio.gov for technical assistance and best practices to aid in the implementation ofthis policy. For questions regarding this Memorandum, contact Mary A. Lazzeri in the Office ofE­ Government and Information and Technology at egov@omb.eop.gov with "HTTPS-Only Standard" as the subject line. 15 Allowing HTIP connections for the sole purpose of redirecting clients to HTTPS connections is acceptable and encouraged. HSTS headers must specify a max-age of at least 1 year. 16 "Intranet" is defined here as a computer network that is not directly reachable over the public internet. 5

Recommended

Amendment to VenCorps Agreement
Amendment to VenCorps AgreementAmendment to VenCorps Agreement
Amendment to VenCorps AgreementDigitalGov from General Services Administration
 
GAO Social Media Infographic
GAO Social Media InfographicGAO Social Media Infographic
GAO Social Media InfographicDigitalGov from General Services Administration
 
Usability Testing Report Template
Usability Testing Report TemplateUsability Testing Report Template
Usability Testing Report TemplateDigitalGov from General Services Administration
 
Https
HttpsHttps
HttpsBala Bhaskar Karakavalasa
 
HTTP vs HTTPS Difference
HTTP vs HTTPS Difference HTTP vs HTTPS Difference
HTTP vs HTTPS Difference Real Estate
 
HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??SEONetsolITSolutions
 
Cloud Computing Assignment 3
Cloud Computing Assignment 3Cloud Computing Assignment 3
Cloud Computing Assignment 3Gurpreet singh
 
Securing Web Application, Services and Servers
Securing Web Application, Services and ServersSecuring Web Application, Services and Servers
Securing Web Application, Services and ServersDr.S.Jagadeesh Kumar
 

Recommended

Amendment to VenCorps Agreement
Amendment to VenCorps AgreementAmendment to VenCorps Agreement
Amendment to VenCorps AgreementDigitalGov from General Services Administration
 
GAO Social Media Infographic
GAO Social Media InfographicGAO Social Media Infographic
GAO Social Media InfographicDigitalGov from General Services Administration
 
Usability Testing Report Template
Usability Testing Report TemplateUsability Testing Report Template
Usability Testing Report TemplateDigitalGov from General Services Administration
 
Https
HttpsHttps
HttpsBala Bhaskar Karakavalasa
 
HTTP vs HTTPS Difference
HTTP vs HTTPS Difference HTTP vs HTTPS Difference
HTTP vs HTTPS Difference Real Estate
 
HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??SEONetsolITSolutions
 
Cloud Computing Assignment 3
Cloud Computing Assignment 3Cloud Computing Assignment 3
Cloud Computing Assignment 3Gurpreet singh
 
Securing Web Application, Services and Servers
Securing Web Application, Services and ServersSecuring Web Application, Services and Servers
Securing Web Application, Services and ServersDr.S.Jagadeesh Kumar
 
Web security
Web securityWeb security
Web securitytruong nguyen
 
Https interception
Https interceptionHttps interception
Https interceptionAndrey Apuhtin
 
Hypertext transfer protocol (http)
Hypertext transfer protocol (http)Hypertext transfer protocol (http)
Hypertext transfer protocol (http)johnny19910916
 
An Introduction to Cyber World to a Newbie
An Introduction to Cyber World to a NewbieAn Introduction to Cyber World to a Newbie
An Introduction to Cyber World to a NewbieAnuj Khandelwal
 
HTTP.pptx...............................
HTTP.pptx...............................HTTP.pptx...............................
HTTP.pptx...............................Halabja university - Kurdistan -Iraq
 
Study of http
Study of httpStudy of http
Study of httpDhairya Joshi
 
Web application protocol (WAP)
Web application protocol (WAP) Web application protocol (WAP)
Web application protocol (WAP) OmarJilanijidan2
 
Lec 2.pptx
Lec 2.pptxLec 2.pptx
Lec 2.pptxssuserbab2f4
 
Information System Security
Information System Security Information System Security
Information System Security Elijah Konzo
 
Dn11 c u3_a9_xmm
Dn11 c u3_a9_xmmDn11 c u3_a9_xmm
Dn11 c u3_a9_xmmXochitl Macias Marquez
 
Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationRapidSSLOnline.com
 
Www and http
Www and httpWww and http
Www and httpbhargav shah
 
Communications Technologies
Communications TechnologiesCommunications Technologies
Communications TechnologiesSarah Jimenez
 
Http_Protocol.pptx
Http_Protocol.pptxHttp_Protocol.pptx
Http_Protocol.pptxAbshar Fatima
 
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QAFest
 
attacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfattacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfMohitRampal5
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational TeleportTeleport
 
Ssl tls-beginners-guide
Ssl tls-beginners-guideSsl tls-beginners-guide
Ssl tls-beginners-guideJosephLamineDIALLO
 
HCLT Whitepaper: Accelerated Web Content Delivery
HCLT Whitepaper: Accelerated Web Content DeliveryHCLT Whitepaper: Accelerated Web Content Delivery
HCLT Whitepaper: Accelerated Web Content DeliveryHCL Technologies
 
Open Source Predictive Analytics Pipeline with Apache NiFi and MiniFi Princeton
Open Source Predictive Analytics Pipeline with Apache NiFi and MiniFi PrincetonOpen Source Predictive Analytics Pipeline with Apache NiFi and MiniFi Princeton
Open Source Predictive Analytics Pipeline with Apache NiFi and MiniFi PrincetonTimothy Spann
 
Gifs from Government Records
Gifs from Government RecordsGifs from Government Records
Gifs from Government RecordsDigitalGov from General Services Administration
 
Accessibility for Animated Gifs
Accessibility for Animated GifsAccessibility for Animated Gifs
Accessibility for Animated GifsDigitalGov from General Services Administration
 

More Related Content

Similar to OMB M 15-13, Policy to Require Secure Connections across Federal Websites and Web Services

Hypertext transfer protocol (http)
Hypertext transfer protocol (http)Hypertext transfer protocol (http)
Hypertext transfer protocol (http)johnny19910916
 
An Introduction to Cyber World to a Newbie
An Introduction to Cyber World to a NewbieAn Introduction to Cyber World to a Newbie
An Introduction to Cyber World to a NewbieAnuj Khandelwal
 
Web application protocol (WAP)
Web application protocol (WAP) Web application protocol (WAP)
Web application protocol (WAP) OmarJilanijidan2
 
Information System Security
Information System Security Information System Security
Information System Security Elijah Konzo
 
Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationRapidSSLOnline.com
 
Communications Technologies
Communications TechnologiesCommunications Technologies
Communications TechnologiesSarah Jimenez
 
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QAFest
 
attacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfattacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfMohitRampal5
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational TeleportTeleport
 
HCLT Whitepaper: Accelerated Web Content Delivery
HCLT Whitepaper: Accelerated Web Content DeliveryHCLT Whitepaper: Accelerated Web Content Delivery
HCLT Whitepaper: Accelerated Web Content DeliveryHCL Technologies
 
Open Source Predictive Analytics Pipeline with Apache NiFi and MiniFi Princeton
Open Source Predictive Analytics Pipeline with Apache NiFi and MiniFi PrincetonOpen Source Predictive Analytics Pipeline with Apache NiFi and MiniFi Princeton
Open Source Predictive Analytics Pipeline with Apache NiFi and MiniFi PrincetonTimothy Spann
 

Similar to OMB M 15-13, Policy to Require Secure Connections across Federal Websites and Web Services (20)

Web security
Web securityWeb security
Web security
 
Https interception
Https interceptionHttps interception
Https interception
 
Hypertext transfer protocol (http)
Hypertext transfer protocol (http)Hypertext transfer protocol (http)
Hypertext transfer protocol (http)
 
An Introduction to Cyber World to a Newbie
An Introduction to Cyber World to a NewbieAn Introduction to Cyber World to a Newbie
An Introduction to Cyber World to a Newbie
 
HTTP.pptx...............................
HTTP.pptx...............................HTTP.pptx...............................
HTTP.pptx...............................
 
Study of http
Study of httpStudy of http
Study of http
 
Web application protocol (WAP)
Web application protocol (WAP) Web application protocol (WAP)
Web application protocol (WAP)
 
Lec 2.pptx
Lec 2.pptxLec 2.pptx
Lec 2.pptx
 
Information System Security
Information System Security Information System Security
Information System Security
 
Dn11 c u3_a9_xmm
Dn11 c u3_a9_xmmDn11 c u3_a9_xmm
Dn11 c u3_a9_xmm
 
Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL Authentication
 
Www and http
Www and httpWww and http
Www and http
 
Communications Technologies
Communications TechnologiesCommunications Technologies
Communications Technologies
 
Http_Protocol.pptx
Http_Protocol.pptxHttp_Protocol.pptx
Http_Protocol.pptx
 
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
 
attacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfattacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdf
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational Teleport
 
Ssl tls-beginners-guide
Ssl tls-beginners-guideSsl tls-beginners-guide
Ssl tls-beginners-guide
 
HCLT Whitepaper: Accelerated Web Content Delivery
HCLT Whitepaper: Accelerated Web Content DeliveryHCLT Whitepaper: Accelerated Web Content Delivery
HCLT Whitepaper: Accelerated Web Content Delivery
 
Open Source Predictive Analytics Pipeline with Apache NiFi and MiniFi Princeton
Open Source Predictive Analytics Pipeline with Apache NiFi and MiniFi PrincetonOpen Source Predictive Analytics Pipeline with Apache NiFi and MiniFi Princeton
Open Source Predictive Analytics Pipeline with Apache NiFi and MiniFi Princeton
 

More from DigitalGov from General Services Administration

More from DigitalGov from General Services Administration (20)

Gifs from Government Records
Gifs from Government RecordsGifs from Government Records
Gifs from Government Records
 
Accessibility for Animated Gifs
Accessibility for Animated GifsAccessibility for Animated Gifs
Accessibility for Animated Gifs
 
Peace Corps and Animated Gifs
Peace Corps and Animated GifsPeace Corps and Animated Gifs
Peace Corps and Animated Gifs
 
USA.gov Contact Center Case Study: JD Power Assessment & Customer Satisfactio...
USA.gov Contact Center Case Study: JD Power Assessment & Customer Satisfactio...USA.gov Contact Center Case Study: JD Power Assessment & Customer Satisfactio...
USA.gov Contact Center Case Study: JD Power Assessment & Customer Satisfactio...
 
Collecting Customer Experience Data
Collecting Customer Experience DataCollecting Customer Experience Data
Collecting Customer Experience Data
 
Introduction - Equal Employment Opportunity Commission (EEOC)
Introduction - Equal Employment Opportunity Commission (EEOC) Introduction - Equal Employment Opportunity Commission (EEOC)
Introduction - Equal Employment Opportunity Commission (EEOC)
 
Cdc clear communication index webinar slides
Cdc clear communication index webinar slidesCdc clear communication index webinar slides
Cdc clear communication index webinar slides
 
Webinar: IdeaBox: An Open Source Internal Ideation Tool from CFPB
Webinar: IdeaBox: An Open Source Internal Ideation Tool from CFPBWebinar: IdeaBox: An Open Source Internal Ideation Tool from CFPB
Webinar: IdeaBox: An Open Source Internal Ideation Tool from CFPB
 
Optimizing your public sector web analytics program pt3
Optimizing your public sector web analytics program pt3Optimizing your public sector web analytics program pt3
Optimizing your public sector web analytics program pt3
 
Optimizing your public sector web analytics program pt2
Optimizing your public sector web analytics program pt2Optimizing your public sector web analytics program pt2
Optimizing your public sector web analytics program pt2
 
Optimizing your public sector web analytics program pt1
Optimizing your public sector web analytics program pt1Optimizing your public sector web analytics program pt1
Optimizing your public sector web analytics program pt1
 
Prizes, Contracts & Grants: What Should I Do?
Prizes, Contracts & Grants: What Should I Do?Prizes, Contracts & Grants: What Should I Do?
Prizes, Contracts & Grants: What Should I Do?
 
Gs awebinar al
Gs awebinar alGs awebinar al
Gs awebinar al
 
Deconstructing Challenges Webinar
Deconstructing Challenges WebinarDeconstructing Challenges Webinar
Deconstructing Challenges Webinar
 
Amendment to Yammer, Inc. Terms of Service (TOS)
Amendment to Yammer, Inc. Terms of Service (TOS)Amendment to Yammer, Inc. Terms of Service (TOS)
Amendment to Yammer, Inc. Terms of Service (TOS)
 
Hulu Content Deal Memorandum
Hulu Content Deal MemorandumHulu Content Deal Memorandum
Hulu Content Deal Memorandum
 
Amendment to LinkedIn User Agreement
Amendment to LinkedIn User AgreementAmendment to LinkedIn User Agreement
Amendment to LinkedIn User Agreement
 
MeetUp Terms of Service (TOS) Amendment
MeetUp Terms of Service (TOS) AmendmentMeetUp Terms of Service (TOS) Amendment
MeetUp Terms of Service (TOS) Amendment
 
MySpace Side Letter Agreement, Execution Version
MySpace Side Letter Agreement, Execution VersionMySpace Side Letter Agreement, Execution Version
MySpace Side Letter Agreement, Execution Version
 
Slideshare Terms of Service (TOS) Amendment
Slideshare Terms of Service (TOS) AmendmentSlideshare Terms of Service (TOS) Amendment
Slideshare Terms of Service (TOS) Amendment
 

Recently uploaded

How to design healthy team dynamics to deliver successful digital projects.pptx
How to design healthy team dynamics to deliver successful digital projects.pptxHow to design healthy team dynamics to deliver successful digital projects.pptx
How to design healthy team dynamics to deliver successful digital projects.pptxTechSoupConnectLondo
 
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...narwatsonia7
 
Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.Christina Parmionova
 
call girls in Laxmi Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Laxmi Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Laxmi Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Laxmi Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
High-Level Thematic Event on Tourism - SUSTAINABILITY WEEK 2024- United Natio...
High-Level Thematic Event on Tourism - SUSTAINABILITY WEEK 2024- United Natio...High-Level Thematic Event on Tourism - SUSTAINABILITY WEEK 2024- United Natio...
High-Level Thematic Event on Tourism - SUSTAINABILITY WEEK 2024- United Natio...Christina Parmionova
 
Angels_EDProgrammes & Services 2024.pptx
Angels_EDProgrammes & Services 2024.pptxAngels_EDProgrammes & Services 2024.pptx
Angels_EDProgrammes & Services 2024.pptxLizelle Coombs
 
Yellow is My Favorite Color By Annabelle.pdf
Yellow is My Favorite Color By Annabelle.pdfYellow is My Favorite Color By Annabelle.pdf
Yellow is My Favorite Color By Annabelle.pdfAmir Saranga
 
2024: The FAR, Federal Acquisition Regulations - Part 26
2024: The FAR, Federal Acquisition Regulations - Part 262024: The FAR, Federal Acquisition Regulations - Part 26
2024: The FAR, Federal Acquisition Regulations - Part 26JSchaus & Associates
 
办理约克大学毕业证成绩单|购买加拿大文凭证书
办理约克大学毕业证成绩单|购买加拿大文凭证书办理约克大学毕业证成绩单|购买加拿大文凭证书
办理约克大学毕业证成绩单|购买加拿大文凭证书zdzoqco
 
Start Donating your Old Clothes to Poor People
Start Donating your Old Clothes to Poor PeopleStart Donating your Old Clothes to Poor People
Start Donating your Old Clothes to Poor PeopleSERUDS INDIA
 
Monastic-Supremacy-in-the-Philippines-_20240328_092725_0000.pdf
Monastic-Supremacy-in-the-Philippines-_20240328_092725_0000.pdfMonastic-Supremacy-in-the-Philippines-_20240328_092725_0000.pdf
Monastic-Supremacy-in-the-Philippines-_20240328_092725_0000.pdfCharlynTorres1
 
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...saminamagar
 
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
history of 1935 philippine constitution.pptx
history of 1935 philippine constitution.pptxhistory of 1935 philippine constitution.pptx
history of 1935 philippine constitution.pptxhellokittymaearciaga
 
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesMadurai Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best Servicesnajka9823
 
call girls in Kirti Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Kirti Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Kirti Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Kirti Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...ResolutionFoundation
 
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...narwatsonia7
 
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 

Recently uploaded (20)

How to design healthy team dynamics to deliver successful digital projects.pptx
How to design healthy team dynamics to deliver successful digital projects.pptxHow to design healthy team dynamics to deliver successful digital projects.pptx
How to design healthy team dynamics to deliver successful digital projects.pptx
 
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
 
Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.
 
call girls in Laxmi Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Laxmi Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Laxmi Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Laxmi Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
High-Level Thematic Event on Tourism - SUSTAINABILITY WEEK 2024- United Natio...
High-Level Thematic Event on Tourism - SUSTAINABILITY WEEK 2024- United Natio...High-Level Thematic Event on Tourism - SUSTAINABILITY WEEK 2024- United Natio...
High-Level Thematic Event on Tourism - SUSTAINABILITY WEEK 2024- United Natio...
 
Angels_EDProgrammes & Services 2024.pptx
Angels_EDProgrammes & Services 2024.pptxAngels_EDProgrammes & Services 2024.pptx
Angels_EDProgrammes & Services 2024.pptx
 
Yellow is My Favorite Color By Annabelle.pdf
Yellow is My Favorite Color By Annabelle.pdfYellow is My Favorite Color By Annabelle.pdf
Yellow is My Favorite Color By Annabelle.pdf
 
2024: The FAR, Federal Acquisition Regulations - Part 26
2024: The FAR, Federal Acquisition Regulations - Part 262024: The FAR, Federal Acquisition Regulations - Part 26
2024: The FAR, Federal Acquisition Regulations - Part 26
 
办理约克大学毕业证成绩单|购买加拿大文凭证书
办理约克大学毕业证成绩单|购买加拿大文凭证书办理约克大学毕业证成绩单|购买加拿大文凭证书
办理约克大学毕业证成绩单|购买加拿大文凭证书
 
Start Donating your Old Clothes to Poor People
Start Donating your Old Clothes to Poor PeopleStart Donating your Old Clothes to Poor People
Start Donating your Old Clothes to Poor People
 
Monastic-Supremacy-in-the-Philippines-_20240328_092725_0000.pdf
Monastic-Supremacy-in-the-Philippines-_20240328_092725_0000.pdfMonastic-Supremacy-in-the-Philippines-_20240328_092725_0000.pdf
Monastic-Supremacy-in-the-Philippines-_20240328_092725_0000.pdf
 
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
 
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
history of 1935 philippine constitution.pptx
history of 1935 philippine constitution.pptxhistory of 1935 philippine constitution.pptx
history of 1935 philippine constitution.pptx
 
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesMadurai Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best Services
 
call girls in Kirti Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Kirti Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Kirti Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Kirti Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...
 
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
 
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 

OMB M 15-13, Policy to Require Secure Connections across Federal Websites and Web Services

  • 1. EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 June 8, 2015 M-15-13 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEP FROM: Tony Scott Federal ChiefInformation Officer SUBJECT: Policy to Require Secure Connections across Federal Websites and Web Services This Memorandum requires that all publicly accessible Federal websites and web services1 only provide service through a secure connection. The strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS). This Memorandum expands upon the material in prior Office ofManagement and Budget (OMB) guidance found in M-05-042 and relates to material in M-08-233 . It provides guidance to agencies for making the transition to HTTPS and a deadline by which agencies must be in compliance. Background The unencrypted HTTP protocol does not protect data from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data. The majority ofFederal websites use HTTP as the as primary protocol to communicate over the public internet. Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users ofunencrypted Federal websites and services. Data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information. 1 Publicly-accessible websites and services are defined here as online resources and services available over HTTP or HTTPS over the public internet that are maintained in whole or in part by the Federal Government and operated by an agency, contractor, or other organization on behalf of the agency. They present government information or provide services to the public or a specific user group and support the performance of an agency's mission. This definition includes all web interactions, whether a visitor is logged-in or anonymous. 2 https://www.whitehouse.gov/sites/default/files/omb/memoranda/fv2005/m05-04.pdf "Policies for Federal Agency Public Websites" 3 https://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf "Securing the Federal Government's Domain Name System Infrastructure." 1
  • 2. To address these concerns, many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of Federal websites and services deserve the same protection. Private and secure connections are becoming the Internet's baseline, as expressed by the policies ofthe Internet's standards bodies4 , popular web browsers, and the Internet community ofpractice. The Federal government must adapt to this changing landscape, and benefits by beginning the conversion now. Proactive investment at the Federal level will support faster internet-wide adoption and promote better privacy standards for the entire browsing public. All browsing activity should be considered private and sensitive. An HTTPS-Only standard will eliminate inconsistent, subjective determinations across agencies regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide. Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and may reduce their confidence· in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position the Federal Government as a leader in Internet security. What HTTPS Does HTTPS verifies the identity ofa website or web service for a connecting client, and encrypts nearly all information sent between the website or service and the user. Protected information includes cookies, user agent details, URL paths, form submissions, and query string parameters. HTTPS is designed to prevent this information from being read or changed while in transit. HTTPS is a combination ofHTTP and Transport Layer Security (TLS). TLS is a network protocol that establishes an encrypted connection to an authenticated peer over an untrusted network. Browsers and other HTTPS clients are configured to trust a set of certificate authorities5 that can issue cryptographically signed certificates on behalfofweb service owners. These certificates communicate to the client that the web service host demonstrated ownership ofthe domain to the certificate authority at the time of certificate issuance. This prevents unknown or untrusted websites from masquerading as a Federal website or service. 4 https://w3ctag.github.io/web-https/ "The World Wide Web Consortium (W3C)" https://www.internetsociety.org/news/internet-societv-comm·ends-internet-architecture-board­ recommendation-encrvption-defauIt "Internet Society" 5 In the context of HTIPS on the web, a certificate authority is a third party organization or company trusted by browsers and operating systems to issue digital certificates on behalf of domain owners. 2
  • 3. What HTTPS Doesn't Do HTTPS has several important limitations. IP addresses and destination domain names are not encrypted during communication. Even encrypted traffic can reveal some information indirectly, such as time spent on site, or the size ofrequested resources or submitted information. HTTPS-only guarantees the integrity ofthe connection between two systems, not the systems themselves. It is not designed to protect a web server from being hacked or compromised, or to prevent the web service from exposing user information during its normal operation. Similarly, if a user's system is compromised by an attacker, that system can be altered so that its future HTTPS connections are under the attacker's control. The guarantees of HTTPS may also be weakened or eliminated by compromised or malicious certificate authorities. Challenges and Considerations Site Performance: While encryption adds some computational overhead, modern software and hardware can handle this overhead without substantial deleterious impact on server performance or latency.6 Websites with content delivery networks or server software that supports the SPDY or HTTP/2 protocols, which require HTTPS in some major browsers, may find their site performance substantially improved as a result of migrating to HTTPS. Server Name Indication: The Server Name Indication extension to TLS allows for more efficient use ofiP addresses when serving multiple domains. However, these technologies are not supported by some legacy clients.7 Web service owners should evaluate the feasibility of using this technology to improve performance and efficiency. Mixed Content8 : Websites served over HTTPS need to ensure that all external resources (images, scripts, fonts, iframes, etc.) are also loaded over a secure connection. Modern browsers will refuse to load many insecure resources referenced from within a secure website. When migrating existing websites, this can involve a combination of automated and manual effort to update, replace, or remove references to insecure resources. For some websites, this can be the most time consuming aspect ofthe migration process. APis and Services9: Web services that serve primarily non-browser clients, such as web APis, may require a more gradual and hands-on migration strategy, as not all clients can be expected to be configured for HTTPS connections or to successfully follow redirects. Planning for Change: Protocols and web standards improve regularly, and security vulnerabilities can emerge that require prompt attention. Federal websites and services should deploy HTTPS in a manner that allows for rapid updates to certificates, cipher choices 6 https://istlsfastyet.com 7 https://https.cio.gov/sni/ 11 Server Name Identification" 8 https://https.cio.gov/mixed-content/ 11 Mixed Content" 9 https://https.cio.gov/apis/'Migrating APis" 3
  • 4. (including forward secrecy10 ) protocol versions, and other configuration elements. Agencies should monitor https.cio.gov and other public resources11 to keep apprised of current best practices. Strict Transport Security: Websites and services available over HTTPS must enable HTTP Strict Transport Security (HSTS)12 to instruct compliant browsers to assume HTTPS going forward. This reduces the number ofinsecure redirects, and protects users against attacks that attempt to downgrade connections to plain HTTP. Once HSTS is in place, domains can be submitted to a "preload list"13 used by all major browsers to ensure the HSTS policy is in effect at all times. Domain Name System Security (DNSSEC): The new policy outlined in this Memorandum does not rescind or conflict with M-08-23, "Securing the Federal Government's Domain Name System Infrastructure."14 Once DNS resolution is complete, DNSSEC does not ensure the privacy or integrity of communication between a client and the destination IP. HTTPS provides this additional security. Cost Effective Implementation Implementing an HTTPS-only standard does not come without a cost. A significant number ofFederal websites have already deployed HTTPS. The goal ofthis policy is to increase that adoption. The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost ofprocuring a certificate and the administrative burden ofmaintenance over time. The development burden will vary substantially based on the size and technical infrastructure of a site. The compliance timeline, outlined in this Memorandum, provides sufficient flexibility for project planning and resource alignment. OMB affirms that tangible benefits to the American public outweigh the cost to the taxpayer. Even a small number ofunofficial or malicious websites claiming to be Federal services, or a small amount of eavesdropping on communication with official U.S. government sites could result in substantial losses to citizens. Technical assistance provided at https://HTTPS.cio.gov will aid in the cost-effective implementation ofthis policy. 10 https:Uhttps.cio.gov/technical-concepts/#forward-secrecy "Forward Secrecy" 11 https:Uhttps.cio.gov/resources/"Resources" 12 https://https.cio.gov/hsts, "Strict Transport Security" 13 https:Uhstspreload.appspot.com 14 https://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf "Securing the Federal Government's Domain Name System Infrastructure." 4
  • 5. Guidelines In order to promote the efficient and effective deployment ofHTTPS, the timeframe for compliance, outlined below, is both reasonable and practical. This Memorandum requires that Federal agencies deploy HTTPS on their domains using the following guidelines. • Newly developed websites and services at all Federal agency domains or subdomains must adhere to this policy upon launch. • For existing websites and services, agencies should prioritize deployment using a risk­ based analysis. Web services that involve an exchange ofpersonally identifiable information (PII), where the content is unambiguously sensitive in nature, or where the content receives a high-level oftraffic should receive priority and migrate as soon as possible. • Agencies must make all existing websites and services accessible through a secure connection15 (HTTPS-only, with HSTS) by December 31, 2016. • The use ofHTTPS is encouraged on intranets16 , but not explicitly required. To monitor agency compliance, a public dashboard has been established at https://pulse.cio.gov. Technical Assistance Please visit https://HTTPS.cio.gov for technical assistance and best practices to aid in the implementation ofthis policy. For questions regarding this Memorandum, contact Mary A. Lazzeri in the Office ofE­ Government and Information and Technology at egov@omb.eop.gov with "HTTPS-Only Standard" as the subject line. 15 Allowing HTIP connections for the sole purpose of redirecting clients to HTTPS connections is acceptable and encouraged. HSTS headers must specify a max-age of at least 1 year. 16 "Intranet" is defined here as a computer network that is not directly reachable over the public internet. 5