DotGov program announces its plans to implement HSTS and preloading to .gov websites to make them safer for users.
DotGov Program announces its intent to preload the .gov TLD in the future to make it safer. DotGov’s solution includes domains submitting to the HSTS preload list. The list is embedded in the browsers and HSTS is enabled automatically even for the visitor’s firsts visit. With this method, domains preload and protect its entire namespace with all the subdomains. DotGov Program also states that preloading can also be applied to top-level domains and it is easy to do.
HSTS and preloading
DotGov program states that they are not preloading .gov websites right away because it would cause some government websites that don’t use HTTPS would become inaccessible for users. DotGov also states that it is possible within a few years and they are planning to take these steps:
- DotGov is collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) to help ensure .gov domain owners are ready for their domains to be preloaded in the future.
- DotGov is teaming up with government-affiliated civic organizations to hold presentations and listening sessions in the coming months to get the word out about preloading .gov
- DotGov created a new listserv for feedback from government agencies. In particular, the organization is interested in hearing the challenges agencies expect to face, and the solutions they develop that the organization can use to resolve them. They also hope that this new communications channel will generate discussion between government organizations.
- Beginning September 1, 2020, all new .gov domains will be automatically preloaded. This ensures that DotGov is focused on transitioning historical domains, not new ones, and defaults to strong security going forward.