Last month, the White House asked all government agencies to secure their official sites by adopting web encryption by default, a measure security researchers widely agree is a baseline protection for users.
The White House reasoning for pushing for this was that "there is no such thing as insensitive web traffic" because everything a user does on the internet—even just browsing—could reveal personal information, and thus website operators need to protect any data that travels between the site and the user.
But someone inside the US government isn't that thrilled. A NASA IT professional wrote on the code-sharing website GitHub that contrary to what the White House says, "non-sensitive web traffic does exist," and forcing every government agency to switch to HTTPS by default will be costly and might even prevent important scientific data from being shared widely.
"Non-sensitive web traffic does exist."
His main concern is that for cash-strapped agencies, the costs of implementing HTTPS will outweigh the benefits, and that, essentially, implementing HTTPS might be too hard for some of these government bodies. Very few government websites are currently encrypted, according to a recent census. Only around 150 .gov sites out of around 1,350 are encrypted by default.
"This proposal bans HTTP, which I believe will cause a number of problems," Joe Hourcle, a webserver administrator at NASA's Solar Data Analysis Center, wrote. HTTP is a protocol that is the de-facto foundation of the web, and most sites on the internet still use it rather than HTTPS.
"Websites that use authentication or have personally identifiable information about users of their systems should [emphasis in original] use HTTPS," he added. "But there are still situations for which HTTP is a better choice."
"There are still situations for which HTTP is a better choice."
In his lengthy response, Hourcle lists all the issues he sees with switching certain websites to HTTPS by default, such as increasing bandwidth requirement, and even potentially reducing the "availability of government information and services" in public schools or libraries that might block all HTTPS traffic to filter inappropriate sites.
Encrypting a website with HTTPS means putting a layer of protection on top of regular HTTP traffic using what's known as Transport Layer Security (TLS). This doesn't just mean that there is an extra S and a green lock on the site's URL as it appears in your browser, it also means it's harder for a hacker in a coffee shop—or a repressive government, depending on where you are—to spy on your online activities, stealing the information you send to the site, including passwords and other personal information.
Reached by email, Hourcle said that his views do not represent NASA's, but declined to comment any further. A NASA spokesperson did not respond to a request for comment.
Some technologists criticized Hourcle's comments, and even reacted with sarcasm.
"It's silly," Kevin Gallagher, a technologist and system administrator at the Freedom of the Press Foundation, a nonprofit that advocates for wider adoption of encryption, told Motherboard.
The argument that some traffic on the web isn't so sensitive that it deserves being encrypted, "doesn't fly for me." Gallagher said.
"I can't really think of any traffic where I'd be OK with being man-in-the-middled and served a fake page," he added. What he is referring to is the fact that HTTPS doesn't just provide protection while exchanging information with websites, it also helps guarantee that the site you're visiting is really what it purports to be, helping prevent phishing and other type of scams.
It might take some time—and a little convincing—to effectively encrypt all the things.
Moreover, web encryption also makes it harder for repressive governments or hackers to hijack connections and serve malware over the unencrypted connection. That's pretty much what happened with China's massive distributed denial of service attack on GitHub, or when hackers attacked some victims through Forbes' website.
While it's true that HTTPS is expensive and "not everything requires crypto," Steven Bellovin, a computer science professor at Columbia University, told Motherboard that some of Hourcle arguments are "dubious."
Regardless of that, Hourcle's arguments do show that it won't be that easy, or cheap, to convince every government agency to switch to HTTPS. So it might take some time—and a little convincing—to effectively encrypt all the things.