As of September 1 2020, all new websites belonging to the US government will only be accessible via HTTPS, because they will be preloaded automatically.
The development was announced by the DotGov Program, which manages the .gov top-level domain and provides domains to US government organisations, federal and local.
"Today, the DotGov Program announces our intent to preload the .gov TLD in the future," said the organisation.
"We believe the security benefits that come from preloading are meaningful and necessary to continue meeting the public’s expectation of safety on .gov services. We believe that government websites should always be secure."
Here’s how preloading works: it all starts with HSTS, or HTTP Strict Transport Security – a standard that makes sure visitors’ browsers are always enforcing the HTTPS connection (instead of the insecure HTTP one).
For HSTS to function, browsers need to see the HSTS header on a site at least once. Consequently, users are not protected until they complete one successful connection to a given domain.
By submitting the domain to the preload list, HSTS is embedded automatically, even for the first visit. “Domains that preload protect their entire 'namespace', including all current or potential subdomains,” the DotGov website claims.
“Preloading a domain is both a smart security move and an easy thing to do, if the TLD begins with no deployed services to transition. Preloading an existing TLD is substantially more challenging than preloading a new one, because preloading requires that HTTPS be supported everywhere the domain is used for web services, including sites on both the internet and intranet alike.”