Good news! The entire Senate just embraced web encryption

Remember this for next time lawmakers bring out the pitchforks.
Written by Zack Whittaker, Contributor

Anyone now visiting their senator's website will see something new: a little green lock in their browser's address bar.

Last week the US Senate quietly began serving its entire domain -- including each of the 100 elected senators' websites -- over an encrypted HTTPS channel by default.

HTTPS isn't just reserved for banks and login pages anymore, and hasn't been for a long time. It's nowadays seen as a measure for sites taking their own security and the privacy of their visitors seriously.

The government has been on its own encryption binge for the past few years, trying to secure every page on every domain it has to ensure a standard level of security across the government domain space.

The logic is simple enough: Serving up each page through a secure and private connection ensures that every Senate page hasn't been intercepted or impersonated (which is easy to do) and modified by hackers -- or even intelligence agencies. It also protects the web address past the domain, in most cases preventing internet providers from knowing which individual pages a person visited.

You might wonder why everyone hasn't embraced it sooner. Encrypting web traffic used to be expensive, but the rise of free certificate services like Let's Encrypt has made it significantly cheaper to encrypt web pages.

Thats's the easy bit, because make no mistake -- switching from HTTP, where every byte travels the web without any encryption, to HTTPS is no small feat.

The project has taken over a year to complete, and has been a slow, tedious process of switching over each of the senator's sites incrementally to HTTPS by default. (A spokesperson for the Senate Sergeant at Arms, which headed the project, confirmed the timing but wouldn't comment further on the project.)

In order to switch over an entire site to HTTPS, every site element and component has to be served over the secure pipe. Given that the Senate domain has over a hundred individual senator's domains and committee sites, and many more for other sites and projects, amounting to millions of pages over many years, including some that are decades old -- it's not an overnight job.

But unlike the executive branch, which has all the help from the federal government to switch over to HTTPS, the legislative branch has been left mostly to its own devices.

The General Services Administration said it had no involvement in the Senate's switch. "In general, GSA supports increased use of HTTPS across public services, and actively supports the executive branch's efforts in this area," said a spokesperson.

In pushing ahead with its HTTPS project, the Senate leapfrogged the House with its own effort to encrypt its web pages. At the time of writing, every House lawmaker's website supports HTTPS, but only a little over half support HTTPS by default. (We asked the House's chief administrative officer for comment, and we'll update when we hear back.)

HTTPS by default is a good start, but there's more work to be done.

In January, the government announced it would not only strictly enforce HTTPS on each new government website but it would also preload its domains and subdomains directly into web browsers -- so that all browsers will always and by-default make a secure connection to a government website.

So far, plans have been made to preload executive branch websites, but it hasn't been ruled out as a possibility for Congress in the future.

Encryption remains a hot topic in Congress. It seems half of all lawmakers are for it, and half see it as a way for criminals and terrorists to get away with literal murder. In the past couple of years, we've seen several attempts by lawmakers to undermine the security protections that encryption offers, such as pushing for backdoors in existing encryption standards to make surveillance easier. Last year, in the wake of the San Bernardino terrorist attack, two senators pushed for their own anti-encryption bill that eventually failed.

That bill may be on deck to be reintroduced in the current session, sparking yet another protracted chapter in the ongoing crypto war.

Now that every senator's website offers encryption, remember that next time they bring out the pitchforks.

Editorial standards