You may have discovered that going to www.lastname.house.gov for your site no longer works. HIR has disabled www for your site in order to enable TLS (Transport Layer Security) encryption for every connection to your site, so that every single visit to your website is as secure as it could possibly be. Instead, you can use lastname.house.gov which works and is secure.
Background
Domain names (ex. house.gov, google.com, wikipedia.org) for different sites tell your browser to make a connection to the server that hosts the website. Many websites start their domains with www which stands for world wide web. The addition of www is technically a subdomain, just like mail.google.com which points to gmail instead of the main google search page. However, including www is not required and in certain circumstances can be detrimental.
As more people started using the internet, malicious actors started attacking websites to steal information. One of the ways that they attacked sites was to secretly listen in and intercept connections between your web browser and the server that hosts the website you are visiting. To defend against this, TLS was created, which encrypts the connection between your web browser and the server that hosts the website you are visiting. What this looks like in practice is that a website address (URL) will start with https instead of http. The extra "s" stands for "secure."
The way this security works is by distributed trust. There are trusted companies that sell security certificates. Those certificates are accepted by browsers to establish trust with a website. However, those certificates come with limitations—they can only have one subdomain level for each domain name. Since House websites are all already a subdomain of house.gov, that single subdomain the certificate allows has already been used. Adding an additional subdomain for www is not allowed. For example, you can go to https://www.google.com or https://google.com successfully, and you can go to a subdomain like https://mail.google.com but you can't go to https://www.mail.google.com. which would be two subdomain levels instead of one (One trick is to count the number of periods before .com or .gov etc. You can only have a single period to comply with the security certificate).
Before enabling HTTPS was standard, this limitation did not exist and thus you could have http://www.pelosi.house.gov and http://pelosi.house.gov both work. During the transition period, HIR has forwarded the www subdomain to the correct URL. However, because the first forwarded connection is not protected by HTTPS, it is technically possible that a malicious attacker could intercept that first connection to your website. To prevent this, HIR has started revoking the www subdomain from existing house websites. Websites for new members of the 116th congress have never been issued the www subdomain to begin with.
What can I do about it?
You can update all references to your website from www.lastname.house.gov to simply lastname.house.gov.
Common places to check are:
-
Social channels like facebook, twitter, and instagram in the description or bio for your account
-
Official letterhead
-
Business cards
-
Outlook email signatures
-
Phone scripts
If you have any questions about this, please contact HIR at webassistance@mail.house.gov.
Comments
Article is closed for comments.