Whitehouse Mandates HTTPS For Government Sites and Services 111
Bismillah writes: As per orders from Tony Scott, the government CIO, all federal agencies with publicly accessible websites must provide service only through a secure HTTPS connection. "Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards," according to his memo. "This leaves Americans vulnerable to known threats, and may reduce their confidence in their government."
Many are already using HTTPS and IPv6 (Score:5, Informative)
It's not like this is a new initiative, or that we didn't have dry runs a few years ago.
It's just a few recalcitrant holdouts being told: "Switch or Die".
Re: (Score:1)
Yeah but now they are pushing to make encryption illegal--except when they do it, apparently.
Re: (Score:1)
Yeah but now they are pushing to make encryption illegal--except when they do it, apparently.
The directive is for federal agencies.
You can do whatever you want, so long as you're not contracting to the feds.
Re: (Score:2)
If HTTPS is so insecure, I would expect a lot more stories about a lot of our banking, medical and other forms of commerce being hacked via the https protocol. So far other then the SSL bug, the hacking was done mainly with insecure devices, easy passwords or inside jobs.
Perhaps you are talking about other areas in https communication such as the insecure call to a site, or how the browser stores the info. Or the lack of verification of official certificate authorities
Re: (Score:2, Interesting)
Yes, I was referring to the way CAs work. The current trust model makes TLS/SSL connections susceptible to government sponsored MITM attacks. They can do it either by mandating the CAs to hand out their PKs or by hacking them without consequences like we've seen before. There is a single-point of failure in TLS/SSL authentication and that point has failed long ago.
Re: (Score:1)
At which point I now expect the Republican presidential candidates to start bitching about this abuse of executive power.
Re: (Score:1)
Re: (Score:2, Insightful)
OK, but explain to me why https://www.nasa.gov/ [nasa.gov] needs SSL/TLS at all, including the ongoing costs to maintain certificates and infrastructure, when it's a purely informational site?
It's like insisting that posters of cars should be retrofitted with air-bags and collision detection.
Re: (Score:1)
1. to prevent MITM modifications, even if that is just your asshole ISP inserting "ads" into websites
2. there is very little costs for certificates
3. it has nothing to do with "retrofitting".
Remember when they mandated DNSSEC? Did US government collapse? No? There you go.
Re: Many are already using HTTPS and IPv6 (Score:1)
Require .gov TLD ? (Score:2)
Why not require a .gov TLD as well?
Re: (Score:1)
Because it also includes .mil
Re: (Score:2)
Re:Require .gov TLD ? (Score:5, Informative)
and .edu, I'd guess.
Those are almost all state, local, or private. But there are a few run by the feds, such as www.usma.edu [usma.edu] and www.usna.edu [usna.edu], which default to vanilla http.
Re: (Score:2)
A big question for .edu is do research universities that get large amounts of funding have to go https as well.
We know that this will apply to public-facing websites, so technically that would apply to a medical research hospital as part of a university (quite a few of those), but will it include small labs using fed grants as well? Presumably if external facing.
A lot of such websites, like a crystallography beam website, are internal only, so they don't count, but it's not that big a deal. However, most o
Re: (Score:3)
A big question for .edu is do research universities that get large amounts of funding have to go https as well.
Not because of this directive. Federal grants do not a federal agency create.
We know that this will apply to public-facing websites, so technically that would apply to a medical research hospital as part of a university
Public-facing federal websites. If you are a federally operated University, yes. Otherwise, no. USNA, USAFA, West Point, yes. UW, no.
Re: (Score:1)
A lot of UW stuff runs out of the VA facilities. However, the components of that are frequently cohosted.
(caveat - we already do https and IPv6 so it's not a problem, but might be for others like John Hopkins)
Re: (Score:2)
A lot of UW stuff runs out of the VA facilities.
That doesn't make UW a federal agency. UW websites aren't publicly-facing federal websites because of it.
but might be for others like John Hopkins
You mean this [wikipedia.org] Johns Hopkins? The private research university? Why do you think they are a federal agency?
Re: (Score:2)
(caveat - we already do https and IPv6 so it's not a problem, but might be for others like John Hopkins)
I don't know who John Hopkins is. Does he work at Johns Hopkins?
Re: (Score:2)
There's more than one "UW".
Does it matter? From the context, it's pretty clear that "U" stands for "university" somewhere in the US. Do you know of a "University of anything that starts with W" in the US that would become a federal agency just by accepting federal research grant money? I don't. That's the point.
nobody knows what you mean unless you're from the same state as you.
I always come from the same state as me. And people in other states can pretty much figure out it doesn't matter which UW we're talking about.
Oh the irony (Score:5, Insightful)
Commanding the NSA to continue violating the Constitution and sucking up our data despite the Supreme Court's ruling that it is illegal. And this is the same gov't that wants to weaken encryption... yet they want to use it at the same time.
Re: (Score:1)
Exactly! And in this case, the NSA can probably get their hands on the server certificate / signing keys quite easily.
Not exactly a trustworthy organisation when they actively treat the entire world - including their own citizens - with suspicion.
Re:Oh the irony (Score:5, Funny)
Jebus Christ. Seriously?
HTTPS on government sites isn't to protect you snooping from the NSA. Its to protect you from the neighbors kids, and random hackers around the world.
Not everything is about the NSA all the time. This is a good thing; even if if doesn't shut down the NSA.
Re: (Score:1)
Oh... you mean like thinking HTTPS stops anyone from seeing the URL you just visited so they can view it for themselves?..... yeah, some people just don't get that.
Re:Oh the irony (Score:4, Informative)
Thanks to SNI and IPv4 forcing everyone to host multiple sites on one address (but I repeat myself) SSL does now leak the hostname you are attempting to request during the handshake so the server can select a certificate.
Re: (Score:1)
Thanks to SNI and IPv4 forcing everyone to host multiple sites on one address (but I repeat myself) SSL does now leak the hostname you are attempting to request during the handshake so the server can select a certificate.
The hostname is leaked in the server response (it has to respond with the public certificate); the encryption doesn't start until after the server has disclosed who it is. Your frustration seems misplaced. Even if it was encrypted, a second connection can fish the certificate themselves.
Re: (Score:2)
The host name is provided by the client during the TLS negotiation. If the server were to go first, so-to-speak, it might have to send hundreds or more host names if it's hosting a lot of sites, and that would be slow and an ugly information leak (to be able to hit one IP address and discover all of the sites behind it).
Re: (Score:1)
The client doesn't provide the hostname without SNI (yes, I realize almost every client follows RFC 3546 anyway), nor is it compelled to for the exception of the IPv4 servers that require it. However, the server always ends up sending back an unencrypted public certificate, with or without SNI, and that certificate will include the hostname.
I phrased my other post poorly, and should have pointed out the exact issue I was referring to; you can't hide hostnames just by ditching SNI.
Re:Oh the irony (and the starchy) (Score:2)
How interesting. How does my browser hide the initial certificate request, um, from the ISP and every other nosy hop? (obviously the prior DNS request is done using anonymous encrypted pigeons). Is there a show on Discovery Channel that could explain it in terms I could understand? Thanks.
Oh - one other thing... this will make DNSSEC redundant right - 'cause the HTTPS certificate will guarantee the site is not being spoofed(??). Brilliant stuff. I'll sleep better knowing the internets are safe at last/agai
Re: (Score:2)
A hostname/IP is not a URL. It is part of a URL, but there is more information in a URL and the entirety of the URL is not viewable as the original poster claimed.
Your browser and the server do certificate exchange before your browser requests the page on the server you're interested in.
In other words, while using https you can see via hostname/IP that I went to www.google.com however you can NOT see if I requested the main page at "/" or sent a query such as "/?q=goat+porn" or any other information after
Re: (Score:2)
Yeah, what is worse is that some people actually think that a signed SSL certificate is a certification of the safety of website.
Every once in a while I read about some idiot that thought the website was safe because it had a signed SSL cert and gets all bent out of shape because the https site infected his computer and the CA should have not issued the certificate before testing out the website for him.
Re: (Score:2)
Well, https won't protect you from others identifying which site you visited, but the entirety of your GET request is encrypted and that's important. It means if which actual pages you view is protected from snooping unless, say, you're on a work computer and your employer is using some nefarious https proxy that issues certificates to your brows
Re: (Score:3)
Not everything is about the NSA all the time.
Yes, sometimes it's about 3D printing instead.
Re: (Score:1)
This is a good thing; even if if doesn't shut down the NSA.
What if recent SSL exploits were just a smokescreen to allow the NSA to inject some kind of snooping backdoor in that thing. Now they require SSL everywhere to create a false sense of privacy. CONSPIRACY!
Let's boycott SSL!
Re: (Score:2)
The NSA will never be shutdown. The only possible scenario that has the NSA being shutdown is the simultaneous shutdown of every foreign intelligence agency in the world. Scream and stamp your feet if you have to but the NSA is not going away. The spotlight on the NSA over the past couple of years has only resulted in them taking steps to further compartmentalize their operations and beefing up the level of scrutiny they put into their employees when granting security clearances.
Re: (Score:2)
It's also to protect you from snooping by the KGB. And the Chinese, and North Korea, and all the countries in Europe that insist they don't spy on their allies but almost certainly do.
Everybody spies. Governments, businesses, individuals, loosely-affiliated hacktivist organisations and criminal gangs. They all want that precious information.
Re: (Score:2)
And how exactly would it do that?
There are CAs in most of the countries where such agencies are based, as well as plenty of others that could potentially have been compromised... Your browser will trust any one of hundreds when connecting to an SSL site.
Re: (Score:2)
That works for targeted monitoring with MITM attacks. Try that on a population scale, and it will be easy to detect. Injecting MITM attacks is also more expensive and riskier than passive monitoring - it can be detected.
Re: (Score:2)
It's also to protect you from snooping by the KGB.
Great stuff! So it secures my ISP as well? Will it wax my car too?
Yeah - I know, it only secures content after the connection. But seriously - given the level of government stupid when it comes to data security, and the number of CA compromises it seems like lipstick on a pig.
Still - like a crash helmet instead of a parachute when you jump from a plane, it's better than nothing. (or is that "less worse"?)
Re: (Score:1)
The precious information on public .gov websites?
Re: (Score:3)
OMG, the government might snoop on which government websites you visit by orchestrating a MITM attack!
Or.... they could simply look at their own server logs?
Re: Oh the irony (Score:1)
Re: (Score:2)
In this case, they know exactly what they are up to in other countries hence they understand the need to implement https at home. Finnaly some stuff from the hugely offensive side of the NSA is trickling down to the defensive poor second cousin side of the NSA.
Re: Oh the irony (Score:1)
Re: (Score:2)
What supreme court ruling? I missed it i guess. All i know about is a second circuit ruling.
Re: (Score:2)
Confidence in their government (Score:5, Insightful)
Re: (Score:2)
rape cages for growing plants
Greenpeace should get involved!
Re: Confidence in their government (Score:1)
Re: (Score:1)
With every hacked CA, they are already in place
confidence? (Score:1)
... and may reduce their confidence in their government.
I think we all have plenty of confidence, just not the kind they are looking for...
This makes me worry. (Score:1)
Rather than take the time to understand their perimeter and data it exposes they want to "protect" everything with HTTPS. Which probably doesn't make sense for static, non interactive services.
This says a lot about their security program...
Re: (Score:2)
Rather than take the time to understand their perimeter and data it exposes they want to "protect" everything with HTTPS. Which probably doesn't make sense for static, non interactive services.
This says a lot about their security program...
And the people who are deciding what to do next in said program...
Re: (Score:2)
Those people are Jackson, Grant, and Franklin.
I've heard they speak quite loudly.
Strat
Re: (Score:3)
Rather than take the time to understand their perimeter and data it exposes they want to "protect" everything with HTTPS. Which probably doesn't make sense for static, non interactive services.
Perhaps, but it also helps protect against content injection or manipulation (e.g. ad injection by shady ISPs), snooping by third parties (e.g. hotel or coffee-shop networks), etc.
Honestly, there's very little reason *not* to encrypt data these days.
Re: (Score:3)
Most .gov sites buy certs from normal CAs, like Thawte and Verisign.
And the requirement isn't for just HTTPS-only, but for also implementing Strict Transport Security [wikipedia.org] and suggesting using Perfect Forward Secrecy [wikipedia.org].
But encryption (Score:5, Funny)
Wait, I thought government as trying to fight encryption, not require it.
Re:But encryption (Score:5, Insightful)
No, they're trying to compromise encryption, not fight it.
Re: (Score:2)
No problem for the gov - they'll just record every transaction on their web sites AFTER the SSL decryption. And then tell the sheeple that they're working to preserve our privacy. Hipocrites.
Comment removed (Score:3)
Re: (Score:3)
Re: (Score:2)
That's not how HSTS preload works. Or rather, it is, but you're missing a vital step. The preload list won't accept sites that don't specify the "preload" flag in their Strict-Transport-Security header. It ought to go without saying that they won't accept sites which don't serve HTTPS at all...
The max-age and includeSubDomains directives are relevant to browsers. The preload directive is relevant to HSTS preload list maintainers (or rather, to their servers). I guess the government could try coercing the pr
Re: (Score:1)
Getting the .gov and .mil TLDs into the HSTS preload list would be amazing. I helped get ~20 .gov second-level domains into the HSTS preload list in February, and mentioned getting .gov into the preload list at the end:
https://18f.gsa.gov/2015/02/09... [gsa.gov]
The .gov TLD is a challenge, though, as it is used by state and local governments and other public services, like libraries, utility companies, etc. There are over 5,300 in total, and only ~1,350 of them are federal government.
https://18f.gsa.gov/2014/1 [gsa.gov]
Are they including a backdoor for US citizens? (Score:2)
No?
Then they should probably leave it unencrypted. They wouldn't want to be TOO blatant with their hypocrisy.
Re: (Score:2)
Please, let's not nuke anything in or from orbit... Further, let's not nuke anything if we can help it..
It's far to messy and has some pretty bad side effects....
Meanwhile... (Score:2)
Meanwhile, the US government is trying to add known threats to HTTPS communications.
FBI wants to kill HTTPS but WH wants it or NOT?! (Score:3)
MAKE UP YOUR FUCKING MINDS!
Obama: Gov't Shouldn't Be Hampered By Encrypted Communications
http://yro.slashdot.org/story/... [slashdot.org]
FBI's James Comey: the Man Who Wants To Outlaw Encryption
http://yro.slashdot.org/story/... [slashdot.org]
Meanwhile ./ got their HTTPS sliced and DICED away.
As I post this, it's plain text HTTP.
Re: (Score:2)
There's no contradiction. The government is only opposed to encryption that stops them monitoring people. For example, they really don't mind if facebook uses https, because they have several legal avenues* at their disposal to obtain private messages straight from Facebook. Encrypted government sites is no problem for the same reason. They would object to people using https to access sites hosted outside the US, or to end-to-end encryption software like Retroshare or OTR.
*Which run a wide spectrum of legit
Re: (Score:2)
MAKE UP YOUR FUCKING MINDS!
They have made up their minds if you read the links. The government is adamant they want everyone to use encryption and every encryption to have a back door. They are being quite consistent with their demands.
White House not Whitehouse (Score:2)
White House = home and office of the president.
Whitehouse = senator from Rhode Island.
Since both are involved in federal government, the space kinda matters.
Re: (Score:2)
It's also the name of a pornography studio.
While they're at it... (Score:3)
Can they mandate that all of the services their departments offer for employees for work play nice with the latest version of Java within X number of days after a new Java release? Can they mandate that their training stuff not use Flash, Silverlight, or some other non-standard garbage that causes issues for non-Windows users? Dumping Oracle Forms for a bunch of their purchasing systems would be swell, too. Switching VPN providers three times in two years, as well as a revolving door of AV clients is also kind of a drag, as is having several pieces of tech ram-rodded down our throats in emergency fashion, but never used again...The digital signature pad comes to mind.
Cheers,
One very annoyed Federal "IT Specialist"
We'll see (Score:1)