Start of Main Content

HTTPS

Last updated December 10, 2018

This data measures how well federal web services support the HTTPS protocol (https://). HTTPS provides a secure connection across the internet between web services and their users. Federal agencies are required to enforce HTTPS and use HSTS (HTTP Strict Transport Security) as part of the White House Office of Management and Budget's M-15-13 and the Department of Homeland Security's Binding Operational Directive 18-01. BOD 18-01 also requires that agencies remove support for known-weak cryptography by disabling the RC4 and 3DES ciphers, and the SSLv2 and SSLv3 protocols.

All data below is collected from publicly available data sources on December 10, 2018, and must be considered public. See the technical guidance for more information on how this data is collected and measured. Agencies with questions about their results shown here can contact pulse@cio.gov.

Below you will find some helpful tips to help guide you towards getting a better score on Pulse for your domain or agency. For any further questions, please visit our frequently asked questions or email pulse@cio.gov.

What domains are measured?

Pulse measures the deployment of HTTPS and HSTS for publicly accessible .gov domains in the federal government's executive branch. Domains which do nothing but redirect to other websites are measured.

This currently amounts to around 1,200 domains. Official .gov domain data can be downloaded from the DotGov program.

What subdomains are measured?

Pulse currently measures .gov subdomains that are publicly accessible over HTTP that belong to any of the measured parent .gov domains. These subdomains are discovered from existing public sources:

  • Censys: Censys publishes a large dataset of observed and issued certificates, updated nightly. This includes all certificates observed on the public internet from daily scans of the IPv4 space, as well as all certificates submitted to public Certificate Transparency logs.
  • End of Term Web Archive: The End of Term Web Archive is a collaboration between the Library of Congress, the Government Publishing Office, the Internet Archive, and others, to extensively crawl and archive federal government websites at the conclusion of every presidential term. We pull hostname information from their published 2016 dataset.
  • Digital Analytics Program: The Digital Analytics Program (DAP) publishes a dataset of federal hostnames, updated nightly. This includes hostnames for which the DAP observed at least one recorded visit in the previous 14 days.
  • Rapid7 Reverse DNS data: Rapid7 publishes a large bulk dataset of Reverse DNS data from the IPv4 space. Their data is updated roughly daily, but due to its size, Pulse uses a snapshot of their data, filtered down to just .gov and .fed.us hostnames, updated on an occasional basis. This snapshot is stored in a GSA GitHub repository, and can be downloaded directly as a CSV here.
  • Other public .gov websites: Additional .gov hostnames of publicly accessible services, collected manually, typically by government staff at GSA or DHS. This data is stored in a GSA GitHub repository, and can be downloaded directly as a CSV here.

Pulse gathers .gov hostnames from the above sources, and then scans each hostname over the public internet to measure whether it is accessible over HTTP or HTTPS. Pulse only displays results for publicly accessible federal .gov subdomains.

Implementing HTTPS

The process of enabling and enforcing strong HTTPS for a web service can vary widely based on the technology, size, and age of the service.

Agencies working on deploying HTTPS are encouraged to consult https.cio.gov for detailed best practices and technical guidance. https.cio.gov is open source, and agencies are very much encouraged to contribute their own expertise and case studies.

Measuring HTTPS

Pulse analyzes the behavior of four "endpoints" of every domain and subdomain: http://, http://www, https://, and https://www. Data from these endpoints is used to characterize the overall behavior of a domain or subdomain. These measurements are performed using open source tools:

  • pshtt, a Python-based HTTPS and HSTS scanning tool maintained by the Department of Homeland Security as an open source collaboration between DHS, the General Services Administration, Lawrence Livermore National Laboratory, NASA, and other contributors.
  • domain-scan, a Python-based tool used for hostname discovery and scanner orchestration. The domain-scan tool is used to discover public subdomains from various sources, and to efficiently coordinate and parallelize pshtt, sslyze, and other tools for large batch scans. The domain-scan tool is maintained by the General Services Administration, and receives use and contributions by the Department of Homeland Security and others.
  • SSLyze, a Python-based tool used for analyzing the TLS/SSL configuration of a given hostname. SSLyze is maintained by an independent author.
While Pulse uses these tools to scan publicly accessible services, agencies can easily make use of these tools themselves in order to scan their internal services.

Fields

  • Enforces HTTPS
  • Values: No, Yes
  • Whether a service uses and enforces HTTPS by default. This can be done by redirecting a service's HTTP endpoints to HTTPS, or by only being available over HTTPS.
  • HSTS
  • Values:No, Yes, Preloaded
  • Whether a domain has implemented HTTP Strict Transport Security, which ensures that modern web browsers will only ever communicate with a domain over HTTPS (even if the user clicks or types in a plain HTTP link).
  • "Preloaded" means that the subdomain is considered to be HSTS-compliant due to its parent domain having been preloaded in modern browsers.
  • "Yes" means that a valid Strict-Transport-Security header with a max-age value (in seconds) of at least 1 year (31536000) is present on the domain's default endpoint.
  • "No" means that the HSTS header is either missing, or using a max-age of less than 1 year.
  • Free of RC4/3DES and SSLv2/SSLv3
  • Values: "Yes", "No, uses [...]"
  • "Yes" means that the service's primary endpoint does not use the RC4 or 3DES ciphers, and has disabled the SSLv2 and SSLv3 protocols. Disabling these ciphers and protocols is a requirement of the Department of Homeland Security's Binding Operational Directive 18-01.
  • "No, uses [...]" will show what known-weak ciphers and protocols are still in use. Examples include "No, uses SSLv2", or "No, uses 3DES, RC4", etc.
  • Preloaded
  • Values: No, Ready, Yes
  • "Yes" means that the domain is actually in the publicly versioned Chrome preload list, and has the include_subdomains flag enabled in that list. Reaching this step effectively means that a domain's namespace is permanently and fully committed to HTTPS. Note: All domains can be preloaded, even those that don't serve a website. If you want to preload your domain but can't or don't wish to serve HTTP headers there, contact the DotGov program to have them preload your domain with browsers directly.
  • "Ready" means that the domain has implemented a strong HSTS policy on its bare domain whose policy covers all subdomains, and has indicated consent to preloading by all major browsers as HTTPS-only. If the domain can be safely preloaded, the domain owner should visit the preloading form and submit their domain.
  • "No" means the domain has not been preloaded, and there is no HSTS policy indicating consent to be preloaded.