All government digital services (GDS) websites in the UK will be required to use HTTPS encryption starting 1 October, according to new security guidelines. As well as enforcing the use of HTTPS, all UK government websites are mandated to use HTTP Strict Transport Security (HSTS).
In addition, all services have to publish a Domain based Message Authentication, Reporting & Conformance (DMARC) policy that will be applicable to their email systems.
According to Dafydd Vaughan, a technical architect at the Government Digital Service (GDS), the UK government plans to submit the service.gov.uk domain to the browser manufacturers’ HSTS preload list in September.
This means that all modern browsers will only ever connect to government services via HTTPS. Service that are only available over unsecured connections will stop working in modern browsers once this happens. This may also affect testing environments hosted on service.gov.uk, said Vaughan.
Government Digital Service has published guidance on how to implement secure email practices including Domain-based Message Authentication, Reporting and Conformance policies, known as DMARC.
HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet.