Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
United States Government Security The Internet

Whitehouse Mandates HTTPS For Government Sites and Services 111

Bismillah writes: As per orders from Tony Scott, the government CIO, all federal agencies with publicly accessible websites must provide service only through a secure HTTPS connection. "Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards," according to his memo. "This leaves Americans vulnerable to known threats, and may reduce their confidence in their government."
This discussion has been archived. No new comments can be posted.

Whitehouse Mandates HTTPS For Government Sites and Services

Comments Filter:
  • by WillAffleckUW ( 858324 ) on Wednesday June 10, 2015 @06:59PM (#49887665) Homepage Journal

    It's not like this is a new initiative, or that we didn't have dry runs a few years ago.

    It's just a few recalcitrant holdouts being told: "Switch or Die".

    • by Anonymous Coward

      Yeah but now they are pushing to make encryption illegal--except when they do it, apparently.

      • Yeah but now they are pushing to make encryption illegal--except when they do it, apparently.

        The directive is for federal agencies.

        You can do whatever you want, so long as you're not contracting to the feds.

    • At which point I now expect the Republican presidential candidates to start bitching about this abuse of executive power.

      • I highly doubt they will as this is something the government SHOULD be doing and it's the Executive branch directing federal government agencies (that fall in the executive branch) to perform this action. It would be different if they issued an order forcing the state governments or private organizations to use HTTPS.
    • Re: (Score:2, Insightful)

      by Zaelath ( 2588189 )

      OK, but explain to me why https://www.nasa.gov/ [nasa.gov] needs SSL/TLS at all, including the ongoing costs to maintain certificates and infrastructure, when it's a purely informational site?

      It's like insisting that posters of cars should be retrofitted with air-bags and collision detection.

      • by Anonymous Coward

        1. to prevent MITM modifications, even if that is just your asshole ISP inserting "ads" into websites

        2. there is very little costs for certificates

        3. it has nothing to do with "retrofitting".

        Remember when they mandated DNSSEC? Did US government collapse? No? There you go.

  • Why not require a .gov TLD as well?

    • Because it also includes .mil

      • by x0ra ( 1249540 )
        and .edu, I'd guess.
        • by ShanghaiBill ( 739463 ) on Wednesday June 10, 2015 @07:28PM (#49887827)

          and .edu, I'd guess.

          Those are almost all state, local, or private. But there are a few run by the feds, such as www.usma.edu [usma.edu] and www.usna.edu [usna.edu], which default to vanilla http.

          • A big question for .edu is do research universities that get large amounts of funding have to go https as well.

            We know that this will apply to public-facing websites, so technically that would apply to a medical research hospital as part of a university (quite a few of those), but will it include small labs using fed grants as well? Presumably if external facing.

            A lot of such websites, like a crystallography beam website, are internal only, so they don't count, but it's not that big a deal. However, most o

            • A big question for .edu is do research universities that get large amounts of funding have to go https as well.

              Not because of this directive. Federal grants do not a federal agency create.

              We know that this will apply to public-facing websites, so technically that would apply to a medical research hospital as part of a university

              Public-facing federal websites. If you are a federally operated University, yes. Otherwise, no. USNA, USAFA, West Point, yes. UW, no.

              • A lot of UW stuff runs out of the VA facilities. However, the components of that are frequently cohosted.

                (caveat - we already do https and IPv6 so it's not a problem, but might be for others like John Hopkins)

                • A lot of UW stuff runs out of the VA facilities.

                  That doesn't make UW a federal agency. UW websites aren't publicly-facing federal websites because of it.

                  but might be for others like John Hopkins

                  You mean this [wikipedia.org] Johns Hopkins? The private research university? Why do you think they are a federal agency?

                • (caveat - we already do https and IPv6 so it's not a problem, but might be for others like John Hopkins)

                  I don't know who John Hopkins is. Does he work at Johns Hopkins?

  • Oh the irony (Score:5, Insightful)

    by Anonymous Coward on Wednesday June 10, 2015 @07:05PM (#49887711)

    Commanding the NSA to continue violating the Constitution and sucking up our data despite the Supreme Court's ruling that it is illegal. And this is the same gov't that wants to weaken encryption... yet they want to use it at the same time.

    • by aXis100 ( 690904 )

      Exactly! And in this case, the NSA can probably get their hands on the server certificate / signing keys quite easily.

      Not exactly a trustworthy organisation when they actively treat the entire world - including their own citizens - with suspicion.

      • by vux984 ( 928602 ) on Wednesday June 10, 2015 @07:30PM (#49887843)

        Jebus Christ. Seriously?

        HTTPS on government sites isn't to protect you snooping from the NSA. Its to protect you from the neighbors kids, and random hackers around the world.

        Not everything is about the NSA all the time. This is a good thing; even if if doesn't shut down the NSA.

        • Not everything is about the NSA all the time.

          Yes, sometimes it's about 3D printing instead.

        • by lucm ( 889690 )

          This is a good thing; even if if doesn't shut down the NSA.

          What if recent SSL exploits were just a smokescreen to allow the NSA to inject some kind of snooping backdoor in that thing. Now they require SSL everywhere to create a false sense of privacy. CONSPIRACY!

          Let's boycott SSL!

        • The NSA will never be shutdown. The only possible scenario that has the NSA being shutdown is the simultaneous shutdown of every foreign intelligence agency in the world. Scream and stamp your feet if you have to but the NSA is not going away. The spotlight on the NSA over the past couple of years has only resulted in them taking steps to further compartmentalize their operations and beefing up the level of scrutiny they put into their employees when granting security clearances.

        • It's also to protect you from snooping by the KGB. And the Chinese, and North Korea, and all the countries in Europe that insist they don't spy on their allies but almost certainly do.

          Everybody spies. Governments, businesses, individuals, loosely-affiliated hacktivist organisations and criminal gangs. They all want that precious information.

          • by Bert64 ( 520050 )

            And how exactly would it do that?
            There are CAs in most of the countries where such agencies are based, as well as plenty of others that could potentially have been compromised... Your browser will trust any one of hundreds when connecting to an SSL site.

            • That works for targeted monitoring with MITM attacks. Try that on a population scale, and it will be easy to detect. Injecting MITM attacks is also more expensive and riskier than passive monitoring - it can be detected.

          • It's also to protect you from snooping by the KGB.

            Great stuff! So it secures my ISP as well? Will it wax my car too?

            Yeah - I know, it only secures content after the connection. But seriously - given the level of government stupid when it comes to data security, and the number of CA compromises it seems like lipstick on a pig.

            Still - like a crash helmet instead of a parachute when you jump from a plane, it's better than nothing. (or is that "less worse"?)

          • by q4Fry ( 1322209 )

            The precious information on public .gov websites?

      • OMG, the government might snoop on which government websites you visit by orchestrating a MITM attack!

        Or.... they could simply look at their own server logs?

      • by rtb61 ( 674572 )

        In this case, they know exactly what they are up to in other countries hence they understand the need to implement https at home. Finnaly some stuff from the hugely offensive side of the NSA is trickling down to the defensive poor second cousin side of the NSA.

    • What supreme court ruling? I missed it i guess. All i know about is a second circuit ruling.

    • You do realize NSA can just query all the government websites' databases and logs for whatever you look at and post to these secure websites right? HTTPS doesn't prevent NSA from looking at your activies on a government website. Please don't be retarded.
  • by Ada_Rules ( 260218 ) on Wednesday June 10, 2015 @07:06PM (#49887713) Homepage Journal
    So, we'll keep locking people in rape cages for growing plants, pulling guns on unarmed teens and going through security theater in air ports with a 90% detection failure rate....But finally I can do https://whitehouse.gov/ [whitehouse.gov] to vote on a bogus petition with no effect. My confidence is restored thusly.
  • ... and may reduce their confidence in their government.

    I think we all have plenty of confidence, just not the kind they are looking for...

  • by Anonymous Coward

    Rather than take the time to understand their perimeter and data it exposes they want to "protect" everything with HTTPS. Which probably doesn't make sense for static, non interactive services.

    This says a lot about their security program...

    • Rather than take the time to understand their perimeter and data it exposes they want to "protect" everything with HTTPS. Which probably doesn't make sense for static, non interactive services.

      This says a lot about their security program...

      And the people who are deciding what to do next in said program...

      • This says a lot about their security program...

        And the people who are deciding what to do next in said program..

        Those people are Jackson, Grant, and Franklin.

        I've heard they speak quite loudly.

        Strat

    • by heypete ( 60671 )

      Rather than take the time to understand their perimeter and data it exposes they want to "protect" everything with HTTPS. Which probably doesn't make sense for static, non interactive services.

      Perhaps, but it also helps protect against content injection or manipulation (e.g. ad injection by shady ISPs), snooping by third parties (e.g. hotel or coffee-shop networks), etc.

      Honestly, there's very little reason *not* to encrypt data these days.

  • by penguinoid ( 724646 ) on Wednesday June 10, 2015 @07:27PM (#49887813) Homepage Journal

    Wait, I thought government as trying to fight encryption, not require it.

  • by account_deleted ( 4530225 ) on Wednesday June 10, 2015 @07:32PM (#49887863)
    Comment removed based on user account deletion
    • Oh God! HTTPS! I'm fucking invisible now! Thank you Slashdot! (SIGNAL LOST)....
    • That's not how HSTS preload works. Or rather, it is, but you're missing a vital step. The preload list won't accept sites that don't specify the "preload" flag in their Strict-Transport-Security header. It ought to go without saying that they won't accept sites which don't serve HTTPS at all...

      The max-age and includeSubDomains directives are relevant to browsers. The preload directive is relevant to HSTS preload list maintainers (or rather, to their servers). I guess the government could try coercing the pr

      • Getting the .gov and .mil TLDs into the HSTS preload list would be amazing. I helped get ~20 .gov second-level domains into the HSTS preload list in February, and mentioned getting .gov into the preload list at the end:

        https://18f.gsa.gov/2015/02/09... [gsa.gov]

        The .gov TLD is a challenge, though, as it is used by state and local governments and other public services, like libraries, utility companies, etc. There are over 5,300 in total, and only ~1,350 of them are federal government.

        https://18f.gsa.gov/2014/1 [gsa.gov]

  • No?

    Then they should probably leave it unencrypted. They wouldn't want to be TOO blatant with their hypocrisy.

  • Meanwhile, the US government is trying to add known threats to HTTPS communications.

  • MAKE UP YOUR FUCKING MINDS!

    Obama: Gov't Shouldn't Be Hampered By Encrypted Communications
    http://yro.slashdot.org/story/... [slashdot.org]

    FBI's James Comey: the Man Who Wants To Outlaw Encryption
    http://yro.slashdot.org/story/... [slashdot.org]

    Meanwhile ./ got their HTTPS sliced and DICED away.
    As I post this, it's plain text HTTP.

    • There's no contradiction. The government is only opposed to encryption that stops them monitoring people. For example, they really don't mind if facebook uses https, because they have several legal avenues* at their disposal to obtain private messages straight from Facebook. Encrypted government sites is no problem for the same reason. They would object to people using https to access sites hosted outside the US, or to end-to-end encryption software like Retroshare or OTR.

      *Which run a wide spectrum of legit

    • MAKE UP YOUR FUCKING MINDS!

      They have made up their minds if you read the links. The government is adamant they want everyone to use encryption and every encryption to have a back door. They are being quite consistent with their demands.

  • White House = home and office of the president.
    Whitehouse = senator from Rhode Island.

    Since both are involved in federal government, the space kinda matters.

  • by HEMI426 ( 715714 ) on Thursday June 11, 2015 @02:26AM (#49889143) Homepage

    Can they mandate that all of the services their departments offer for employees for work play nice with the latest version of Java within X number of days after a new Java release? Can they mandate that their training stuff not use Flash, Silverlight, or some other non-standard garbage that causes issues for non-Windows users? Dumping Oracle Forms for a bunch of their purchasing systems would be swell, too. Switching VPN providers three times in two years, as well as a revolving door of AV clients is also kind of a drag, as is having several pieces of tech ram-rodded down our throats in emergency fashion, but never used again...The digital signature pad comes to mind.

    Cheers,

    One very annoyed Federal "IT Specialist"

  • Let's hope they are a little more thorough than whoever was responsible for making sure Secretary Clinton only used the State Department email system for official communications.

Fast, cheap, good: pick two.

Working...