You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: pages/certificates.md
+6-7Lines changed: 6 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,12 +8,12 @@ description: "FAQ on certificates and certificate authorities for agencies migra
8
8
9
9
Frequently asked questions and answers about HTTPS certificates and certificate authorities.
10
10
11
-
*[What are certificates and certificate authorities?](#what-are-certificates-and-certificate-authorities%3f)
12
-
*[What kind of certificate should I get for my domain?](#what-kind-of-certificate-should-i-get-for-my-domain%3f)
13
-
*[What rules and oversight are certificate authorities subject to?](#what-rules-and-oversight-are-certificate-authorities-subject-to%3f)
14
-
*[Does the US government operate a publicly trusted certificate authority?](#does-the-us-government-operate-a-publicly-trusted-certificate-authority%3f)
15
-
*[Are there federal restrictions on acceptable certificate authorities to use?](#are-there-federal-restrictions-on-acceptable-certificate-authorities-to-use%3f)
16
-
*[Then how can I limit which CAs can issue certificates for a domain?](#then-how-can-i-limit-which-cas-can-issue-certificates-for-a-domain%3f)
11
+
*[What are certificates and certificate authorities?](#what-are-certificates-and-certificate-authorities)
12
+
*[What kind of certificate should I get for my domain?](#what-kind-of-certificate-should-i-get-for-my-domain)
13
+
*[What rules and oversight are certificate authorities subject to?](#what-rules-and-oversight-are-certificate-authorities-subject-to)
14
+
*[Does the US government operate a publicly trusted certificate authority?](#does-the-us-government-operate-a-publicly-trusted-certificate-authority)
15
+
*[Are there federal restrictions on acceptable certificate authorities to use?](#are-there-federal-restrictions-on-acceptable-certificate-authorities-to-use)
16
+
*[Then how can I limit which CAs can issue certificates for a domain?](#then-how-can-i-limit-which-cas-can-issue-certificates-for-a-domain)
17
17
18
18
## What are certificates and certificate authorities?
19
19
@@ -99,4 +99,3 @@ The strength of Certificate Transparency increases as more CAs publish more cert
Copy file name to clipboardExpand all lines: pages/faq.md
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,16 +10,16 @@ Below are some frequently asked questions and answers about HTTPS.
10
10
11
11
For an in-depth introduction (no technical background required), check out the DigitalGov University presentation, **["An Introduction to HTTPS"](https://www.youtube.com/watch?v=d2GmcPYWm5k)**, to learn what HTTPS is and how it protects web services and users.
12
12
13
-
*[What does HTTPS do?](#what-does-https-do%3f)
14
-
*[What information does HTTPS protect?](#what-information-does-https-protect%3f)
15
-
*[What information does HTTPS _not_ protect?](#what-information-does-https-not-protect%3f)
16
-
*[How does HTTPS relate to HTTP/2?](#how-does-https-relate-to-http/2%3f)
17
-
*[How does migrating to HTTPS affect search engine optimization (SEO)?](#how-does-migrating-to-https-affect-search-engine-optimization-(seo)%3f)
18
-
*[How can an HTTPS site keep sending referrer information to linked HTTP sites?](#how-can-an-https-site-keep-sending-referrer-information-to-linked-http-sites%3f)
19
-
*[How difficult is it to attack an HTTPS connection?](#how-difficult-is-it-to-attack-an-https-connection%3f)
20
-
*[Why are domain names unencrypted over HTTPS today?](#why-are-domain-names-unencrypted-over-https-today%3f)
21
-
*[Why isn't DNSSEC good enough?](#why-isn't-dnssec-good-enough%3f)
22
-
*[How does HTTPS protect against DNS spoofing?](#how-does-https-protect-against-dns-spoofing%3f)
13
+
*[What does HTTPS do?](#what-does-https-do)
14
+
*[What information does HTTPS protect?](#what-information-does-https-protect)
15
+
*[What information does HTTPS _not_ protect?](#what-information-does-https-not-protect)
16
+
*[How does HTTPS relate to HTTP/2?](#how-does-https-relate-to-http-2)
17
+
*[How does migrating to HTTPS affect search engine optimization (SEO)?](#how-does-migrating-to-https-affect-search-engine-optimization-seo)
18
+
*[How can an HTTPS site keep sending referrer information to linked HTTP sites?](#how-can-an-https-site-keep-sending-referrer-information-to-linked-http-sites)
19
+
*[How difficult is it to attack an HTTPS connection?](#how-difficult-is-it-to-attack-an-https-connection)
20
+
*[Why are domain names unencrypted over HTTPS today?](#why-are-domain-names-unencrypted-over-https-today)
21
+
*[Why isn't DNSSEC good enough?](#why-isnt-dnssec-good-enough)
22
+
*[How does HTTPS protect against DNS spoofing?](#how-does-https-protect-against-dns-spoofing)
Copy file name to clipboardExpand all lines: pages/guide.md
+12-12Lines changed: 12 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,17 +15,17 @@ This page provides implementation guidance for agencies by the White House Offic
15
15
*[Compliance and best practice checklist](#compliance-and-best-practice-checklist)
16
16
*[Options for HSTS compliance](#options-for-hsts-compliance)
17
17
*[Compliance FAQ](#compliance-faq)
18
-
*[What protocols are covered by M-15-13?](#what-protocols-are-covered-by-m-15-13%3f)
19
-
*[Do I need to shut off port 80?](#do-i-need-to-shut-off-port-80%3f)
20
-
*[What about network services that don't actually serve web content?](#what-about-network-services-that-don't-actually-serve-web-content%3f)
21
-
*[What does "all Federal agency domains or subdomains" include?](#what-does-"all-federal-agency-domains-or-subdomains"-include%3f)
22
-
*[What about domains that are only used to redirect visitors to other websites?](#what-about-domains-that-are-only-used-to-redirect-visitors-to-other-websites%3f)
23
-
*[Do domains that redirect to other external domains need to redirect internally to HTTPS before redirecting externally?](#do-domains-that-redirect-to-other-external-domains-need-to-redirect-internally-to-https-before-redirecting-externally%3f)
24
-
*[What about domains that are technically public, but in practice are only used internally?](#what-about-domains-that-are-technically-public,-but-in-practice-are-only-used-internally%3f)
25
-
*[What happens to visitors using browsers that don’t support HSTS, like older versions of Internet Explorer?](#what-happens-to-visitors-using-browsers-that-don't-support-hsts,-like-older-versions-of-internet-explorer%3f)
26
-
*[This site redirects users to HTTPS -- why is Pulse saying it doesn't enforce HTTPS?](#this-site-redirects-users-to-https----why-is-pulse-saying-it-doesn't-enforce-https%3f)
27
-
*[Are federally operated certificate revocation services (CRL, OCSP) also required to move to HTTPS?](#are-federally-operated-certificate-revocation-services-(crl,-ocsp)-also-required-to-move-to-https%3f)
28
-
*[What if I'm using a federally issued certificate -- such as from the Federal PKI or Department of Defense -- for my web service?](#what-if-i'm-using-a-federally-issued-certificate----such-as-from-the-federal-pki-or-department-of-defense----for-my-web-service%3f)
18
+
*[What protocols are covered by M-15-13?](#what-protocols-are-covered-by-m-15-13)
19
+
*[Do I need to shut off port 80?](#do-i-need-to-shut-off-port-80)
20
+
*[What about network services that don't actually serve web content?](#what-about-network-services-that-dont-actually-serve-web-content)
21
+
*[What does "all Federal agency domains or subdomains" include?](#what-does-all-federal-agency-domains-or-subdomains-include)
22
+
*[What about domains that are only used to redirect visitors to other websites?](#what-about-domains-that-are-only-used-to-redirect-visitors-to-other-websites)
23
+
*[Do domains that redirect to other external domains need to redirect internally to HTTPS before redirecting externally?](#do-domains-that-redirect-to-other-external-domains-need-to-redirect-internally-to-https-before-redirecting-externally)
24
+
*[What about domains that are technically public, but in practice are only used internally?](#what-about-domains-that-are-technically-public-but-in-practice-are-only-used-internally)
25
+
*[What happens to visitors using browsers that don’t support HSTS, like older versions of Internet Explorer?](#what-happens-to-visitors-using-browsers-that-dont-support-hsts-like-older-versions-of-internet-explorer)
26
+
*[This site redirects users to HTTPS -- why is Pulse saying it doesn't enforce HTTPS?](#this-site-redirects-users-to-https-why-is-pulse-saying-it-doesnt-enforce-https)
27
+
*[Are federally operated certificate revocation services (CRL, OCSP) also required to move to HTTPS?](#are-federally-operated-certificate-revocation-services-crl-ocsp-also-required-to-move-to-https)
28
+
*[What if I'm using a federally issued certificate -- such as from the Federal PKI or Department of Defense -- for my web service?](#what-if-im-using-a-federally-issued-certificate-such-as-from-the-federal-pki-or-department-of-defense-for-my-web-service)
29
29
30
30
## Compliance and best practice checklist
31
31
@@ -167,7 +167,7 @@ Agencies are encouraged to operate OCSP and CRL services via hostnames specifica
167
167
168
168
### What if I'm using a federally issued certificate -- such as from the Federal PKI or Department of Defense -- for my web service?
169
169
170
-
There are [no restrictions on acceptable certificate authorities](/certificates/#are-there-federal-restrictions-on-acceptable-certificate-authorities-to-use%3f) agencies might use to meet the requirements of M-15-13.
170
+
There are [no restrictions on acceptable certificate authorities](/certificates/#are-there-federal-restrictions-on-acceptable-certificate-authorities-to-use) agencies might use to meet the requirements of M-15-13.
171
171
172
172
However, M-15-13 requires agencies to do more than just redirect HTTP traffic to HTTPS. It also requires agencies to enable **[HTTP Strict Transport Security](/hsts/)** (HSTS), as [described above](#options-for-hsts-compliance). HSTS ensures that HTTPS is always used, and protects users from several common vulnerabilities.
Copy file name to clipboardExpand all lines: pages/resources.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,7 +18,7 @@ The DigitalGov University has several presentations on HTTPS from the General Se
18
18
19
19
***[Implementing HTTPS](https://www.youtube.com/watch?v=rnM2qAfEG-M)** (July 2015), by Eric Mill and Gray Brooks. A more detailed explanation of how HTTPS works, how to migrate a website to HTTPS, the [technical concepts](/technical-guidelines/) you should be aware of when implementing HTTPS, and new and upcoming advances in HTTPS.
20
20
21
-
***[Migrating to HTTPS](https://www.youtube.com/watch?v=X5H8JRULDOo)** (July 2016), by Eric Mill and Timothy Badaczewski. This presentation covers common issues common to federal HTTPS migrations, including: [HTTP Strict Transport Security](/hsts/) (HSTS), [getting certificates](/certificates/), [mixed content](/mixed-content/), and [search engine optimization](/faq/#how-does-migrating-to-https-affect-search-engine-optimization-(seo)%3f) (SEO).
21
+
***[Migrating to HTTPS](https://www.youtube.com/watch?v=X5H8JRULDOo)** (July 2016), by Eric Mill and Timothy Badaczewski. This presentation covers common issues common to federal HTTPS migrations, including: [HTTP Strict Transport Security](/hsts/) (HSTS), [getting certificates](/certificates/), [mixed content](/mixed-content/), and [search engine optimization](/faq/#how-does-migrating-to-https-affect-search-engine-optimization-seo) (SEO).
0 commit comments