NASA IT Guy to White House: Please Don't Make Us Encrypt All Our Websites

Last month, the White House asked all government agencies to secure their official sites by adopting web encryption by default, a measure security researchers widely agree is a baseline protection for users.

The White House reasoning for pushing for this was that "there is no such thing as insensitive web traffic" because everything a user does on the internet—even just browsing—could reveal personal information, and thus website operators need to protect any data that travels between the site and the user.

The announcement for the its pro-encryption initiative called HTTPS-Only Standard, got supporters of encryption everywhere very excited.

But someone inside the US government isn't that thrilled. A NASA IT professional wrote on the code-sharing website GitHub that contrary to what the White House says, "non-sensitive web traffic does exist," and forcing every government agency to switch to HTTPS by default will be costly and might even prevent important scientific data from being shared widely.

His main concern is that for cash-strapped agencies, the costs of implementing HTTPS will outweigh the benefits, and that, essentially, implementing HTTPS might be too hard for some of these government bodies. Very few government websites are currently encrypted, according to a recent census. Only around 150 .gov sites out of around 1,350 are encrypted by default.

Updated with a tab for HTTPS on ~1,350 federal .gov domains: — Eric Mill (@konklone)April 20, 2015

"This proposal bans HTTP, which I believe will cause a number of problems," Joe Hourcle, a webserver administrator at NASA's Solar Data Analysis Center, wrote. HTTP is a protocol that is the de-facto foundation of the web, and most sites on the internet still use it rather than HTTPS.

"Websites that use authentication or have personally identifiable information about users of their systems should [emphasis in original] use HTTPS," he added. "But there are still situations for which HTTP is a better choice."

In his lengthy response, Hourcle lists all the issues he sees with switching certain websites to HTTPS by default, such as increasing bandwidth requirement, and even potentially reducing the "availability of government information and services" in public schools or libraries that might block all HTTPS traffic to filter inappropriate sites.

Encrypting a website with HTTPS means putting a layer of protection on top of regular HTTP traffic using what's known as Transport Layer Security (TLS). This doesn't just mean that there is an extra S and a green lock on the site's URL as it appears in your browser, it also means it's harder for a hacker in a coffee shop—or a repressive government, depending on where you are—to spy on your online activities, stealing the information you send to the site, including passwords and other personal information.

Reached by email, Hourcle said that his views do not represent NASA's, but declined to comment any further. A NASA spokesperson did not respond to a request for comment.

Some technologists criticized Hourcle's comments, and even reacted with sarcasm.

This tirade against HTTPS from NASA would be ridiculous if it weren't serious. — Tom Lowenthal (@flamsmark)April 19, 2015

The agency that put men on the moon is complaining about the difficulty of configuring their webserver to use HTTPS. — Christopher Soghoian (@csoghoian)April 19, 2015

"It's silly," Kevin Gallagher, a technologist and system administrator at the Freedom of the Press Foundation, a nonprofit that advocates for wider adoption of encryption, told Motherboard.

The argument that some traffic on the web isn't so sensitive that it deserves being encrypted, "doesn't fly for me." Gallagher said.

"I can't really think of any traffic where I'd be OK with being man-in-the-middled and served a fake page," he added. What he is referring to is the fact that HTTPS doesn't just provide protection while exchanging information with websites, it also helps guarantee that the site you're visiting is really what it purports to be, helping prevent phishing and other type of scams.

Moreover, web encryption also makes it harder for repressive governments or hackers to hijack connections and serve malware over the unencrypted connection. That's pretty much what happened with China's massive distributed denial of service attack on GitHub, or when hackers attacked some victims through Forbes' website.

While it's true that HTTPS is expensive and "not everything requires crypto," Steven Bellovin, a computer science professor at Columbia University, told Motherboard that some of Hourcle arguments are "dubious."

Regardless of that, Hourcle's arguments do show that it won't be that easy, or cheap, to convince every government agency to switch to HTTPS. So it might take some time—and a little convincing—to effectively encrypt all the things.