18F is an all-TLS shop: all of our websites and APIs enforce encryption. We do this no matter how static or dynamic the content, and no matter how sensitive the service's information may appear to be.
This repository contains our:
- standards and practices, e.g. key generation, TLS/nginx/CDN configuration
- research and knowledge base on deploying TLS on the web today
- discussion and collaboration with people inside and outside of the government
If you're an 18F employee and want a new TLS certificate, read about our temporary certificate creation process. (We're in the process of switching to SSLMate.)
We have a wildcard certificate for staging domains of the form *.18f.us, so you do not need a new certificate for those domains. (This only applies to third-level domains like x.18f.us. Fourth-level domains like x.y.18f.us cannot use this certificate.)
We store our TLS certificates, certificate requests, and some accompanying metadata in the sites/ directory. Accompanying private keys are, of course, not in this repository.
We have a baseline nginx TLS configuration for our EC2 instances that receive HTTP requests.
For sites that use an Elastic Load Balancer (ELB) to terminate TLS, we have a model TLS configuration for ELBs and some analysis of the tradeoffs you face by using them.
For now, we have a pile of general research and resources on technologies relevant to TLS.
This project is in the worldwide public domain. As stated in CONTRIBUTING:
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.