Washington, DC - In another step to enhance the FTC’s website, I'm pleased to announce that our agency has enabled encryption by default (HTTPS) for ftc.gov, our primary public domain, and home of the Tech@FTC blog. Ironically, as I was preparing this post, the entire internet has been FREAKing out about another vulnerability in SSL.
While we have long provided secure transport for FTC domains that handle sensitive consumer data, such as complaint data and email subscriptions, consumers will now browse our entire site more privately, and their browsers will automatically verify the identity of the website to which they're connecting – an important step to mitigate attempts to impersonate the FTC.
As a quick primer, HTTPS encryption secures your communications while in transit with websites so that only you and the website are able to view the content. The lock icon now appearing in your browser represents that the communication is encrypted and eavesdroppers are unable to look in. At this time, secure browsing is generally not a requirement for federal websites, but it is considered an industry best practice.
Transit encryption is an important safeguard against eavesdroppers and has been the subject of previous investigations where we alleged companies failed to live up to their security promises when collecting personal information. It’s an important step when websites or apps collect personal information, and is a great best practice even if they don’t.
Our mobile app developer business guidance also highlights the importance of using HTTPS:
Use transit encryption for usernames, passwords, and other important data.
Anytime your app transmits usernames, passwords, API keys, or other types of important data, use transit encryption. Mobile devices commonly rely on unsecure Wi-Fi access points at coffee shops, airports, and the like — and it’s easy for troublemakers to snoop and intercept connections.
To protect users, developers often deploy SSL/TLS in the form of HTTPS. Consider using HTTPS or another industry-standard method. There’s no need to reinvent the wheel. If you use HTTPS, use a digital certificate and ensure your app checks it properly. A no-frills digital certificate from a reputable vendor is inexpensive and helps your customers ensure they’re communicating with your servers, and not someone else’s. But standards change, so keep an eye on current technologies, and make sure you’re using the latest and greatest security features.
This is just one of many small enhancements that we are rolling out in the coming months in an effort to promote best practices across government. Watch this space.