Links used in https://www.digitalgov.gov/event/implementing-https/

implementing-https-links.md

Links used in Implementing HTTPS, by Gray Brooks and Eric Mill of GSA.

See the recorded presentation on YouTube (1 hour, 40 minutes).

Introduction

• https.cio.gov FAQ on HTTPS
• Mozilla blog post on deprecating non-secure HTTP
• OMB Memorandum M-15-13

How HTTPS Works

• Simple explanation for elliptic curve cryptography
• Prime factorization
• SSL Labs analysis of https.cio.gov
• nginx configuration for https.cio.gov
• general nginx HTTPS configuration template
• Apache configuration for courtlistener.com
• Mozilla CA certificate policy
• Domain name system overview

Migrating to HTTPS

• https.cio.gov page on mixed content
• W3C upgrade-insecure-requests spec

HTTP Strict Transport Security

• https.cio.gov page on HSTS
• 18F blog: The first .gov domains hardcoded into your browser as all-HTTPS
• @HttpSecHeaders tweet about HSTS preloading
• Chrome HSTS/HPKP preload list

Technical Guidelines

• https.cio.gov page on technical guidelines
• Google security blog post on SHA-1 deprecation
• Pulse page on HTTPS for .gov domains
• https.cio.gov page on Server Name Indication
• Introduction to OCSP

The Future

• TLS 1.3
• Google blog post on QUIC
• HTTP/2 spec on TLS requirements
• Digital Analytics Program dashboard
• Certificate transparency readings for *.whitehouse.gov
• Certificate Transparency homepage
• Mozilla blog post on distrusting CNNIC
• RFC 7469, HTTP Public Key Pinning
• HTTP Public Key Pinning, Explained
• CA/Browser Forum Baseline Requiremets
• House Energy and Commerce Committee letter to browsers regarding government CAs
• Mozilla's response to the House letter
• Let's Encrypt, an upcoming free non-profit certificate authority