Washington, DC - I’m pleased to announce that the FTC has joined a number of other federal agencies in deploying additional security best practices for our public consumer websites:
donotcall.gov, ftccomplaintassistant.gov, and hsr.gov.
The websites, which already employ HTTPS encryption, have enabled a feature known as HTTP Strict Transport Security (HSTS) which hardcodes all future communications to be encrypted by default. The result is that when visitors attempt to visit the Do Not Call Registry by entering "donotcall.gov" or clicking a link to http://donotcall.gov, HSTS-enabled browsers will automatically encrypt the connection without any additional instruction from the website. This small tweak reduces the potential for an attacker to maliciously redirect (downgrade) their connection or impersonate an FTC website when connecting from an insecure networks and open Wi-Fi hotspots.
The cross agency effort was motivated by the GSA's 18F team which you can read about here.
This is part of an ongoing effort by federal agencies to improve their websites.