Insecure DoD websites... has anyone checked them for having a nasty that's spewing spam? If they can't protect their websites, can they actually protect the country? Enquiring minds and all that.
US Senator Ron Wyden to Pentagon: Encrypt your websites
As if trying to buy a flying fleet of F-35s wasn't enough, now the Department of Defense is being asked to secure its Websites. In a letter [PDF] sent by US Senator Ron Wyden (D-OR) to the DoD's CIO Dana Deasy, Wyden points out that HTTPS and HSTS (to direct browsers to the HTTPS site if they request the unencrypted version) …
COMMENTS
-
-
-
Friday 25th May 2018 03:38 GMT John Lilburne
"it does, however, mean bad security practices"
No it doesn't. Seems you have swallowed a whole bunch of Google crap.
Had another phone call from web host yesterday wanting to sell me some SSL cert. Whining about lack of said site would cause it to be downgraded by Google search. Being as the site has no user login, no user commenting, no sales cart, and is linked to by Washington State University, University of Texas, University of North Carolina, Oxford University, National Academy of Science SF, National Academy of Science Mexico City, British Parliament, University College London, Natural History Museum London, Natural History Museum Venice, etc, etc, it is most likely not going to be downgraded unless Google want to degrade their search.
-
-
-
-
-
Thursday 24th May 2018 21:37 GMT Anonymous Coward
Re: "your certificate's from Akamai."
""certificate's" is a valid abbreviation even though it only saves a 'space' key-stroke."
In standard English, this generally happens only with a small number of conventional items, mostly involving verbs. Hence it is rather ambiguous.
================================================================
No, in standard English, it almost always arises from the combination of a noun, and the verb 'is'.
Depending on the context, an enormous number of nouns will fit. Next can come a noun, verb, adjective, or adverb, possibly with a preposition or other connector or modifier:
The apple's red.
The plane's slowly descending.
The rocket's flying.
The team's a joke.
Dinner's ready.
Pronouns also work, and can appear with a plural form of 'to be' as in "They're coming to visit tomorrow."
Tense may also vary:
The ship's already reached the dock.
There is very little ambiguity in the above sentences due to syntactic modification of the form.
Any ambiguity lies in unstated context or definitions of nouns, verbs, etc. which would exist regardless of the exact syntax used.
For example, 'He's had a good run' is ambiguous because of the uncertainty in the noun referenced by 'he' and the myriad of meanings of 'run' which could fit the sentence - there are over a hundred recognized meanings including nouns, verbs, and adjectives the last time I counted in a good dictionary (the full Oxford, in many volumes - it was a good break from many hours doing math).
It's not the syntax, it's the unstated definition and connotations that provide room to get confused.
In fact, the conversation of educated native speakers of English is rife with examples of such forms - and the speech of other people who have become familiar and facile with the language.
-
Friday 25th May 2018 09:20 GMT Anonymous Coward
Re: "your certificate's from Akamai."
"No, in standard English, it almost always arises from the combination of a noun, and the verb 'is'."
Utterly wrong. See for instance http://m.sussex.ac.uk/informatics/punctuation/apostrophe/contractions
All of your examples are terrible English. They would be downmarked on say essays or English papers as they cannot be easily differentiated from the possessive form and are therefore ambiguous and are not considered acceptable formal English.
-
-
-
-
-
Thursday 24th May 2018 16:04 GMT bombastic bob
I think it's time that the DoD stop using 3rd parties (especially akamai) for certs and ONLY issue their own. Browser makers will just have to get on board and recognize the DoD's root certs.
If they won't, then it's time for the DoD to "issue it's own browsers", too. Wouldn't be that hard...
-
Thursday 24th May 2018 16:20 GMT Lee D
To be a CA you have to have a certain amount of transparency.
Putting the DoD in as a trusted root to all browsers worldwide is going to raise eyebrows.
It will literally allow them to pretend to be ANY secure website in the world (pinning etc. not withstanding).
I know I wouldn't be happy to accept a US military agency to have a certificate root on my machines, and I'm just a personal user. Can you imagine, say, the Chinese government allowing it?
(I'm sure, if they wanted to, they could get into my machine - it doesn't mean I should give them a master key to do so, however)
What will happen is that browsers won't be able to put those roots in without MASSIVE backlash and potentially losing market share.
You want to be a CA? Be a CA and follow the same procedures as all the other CAs, including external audit of their security. I'm not at all sure the DoD would allow that to happen.
-
Thursday 24th May 2018 17:14 GMT tom dial
Yet perhaps you are happy to trust a built in certificate from this issuer?
TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
which, on my browser, shows up as expired.
As far as I understand, having the CA certificate installed in the browser mainly automates (and with some browser/browser settings) enables site identity verification, key negotiation, and link encryption for sites using keys the CA signed. And any or all of the installed certificates can be disallowed at your option.
-
-
-
-
Thursday 24th May 2018 05:59 GMT Pascal Monett
Why is self-signed such a bad idea ?
If the DoD creates a master certificate and all other military sites get theirs from the DoD, what's the problem ?
Trusted certificates only mean they have been signed by a Cert Authority that is recognized by a central organism and we've seen that go badly already.
I think it wouldn't be such a bad idea to have all military sites of a country have their own trusted authority. Sounds good from a security perspective, IMO.
-
Thursday 24th May 2018 06:14 GMT Serg
Re: Why is self-signed such a bad idea ?
While your utopian idea is all well and good, the problem is that the largest PKI trust chain out there - which includes the most common Web browsers - doesn't recognise the DoD as a trusted root CA. So, you know, might want to fix that first - provided they can satisfy the other members that they're trustworthy.
Trust me, I'm a network engineer.
(DYSWIDT?)
-
Thursday 24th May 2018 16:09 GMT bombastic bob
Re: Why is self-signed such a bad idea ?
"the problem is that the largest PKI trust chain out there - which includes the most common Web browsers - doesn't recognise the DoD as a trusted root CA"
sounds like "someone" didn't pay "someone else" enough PAYOLA to 'play in their sand box'.
Yeah, I bet it's POLITICAL. Well, my earlier suggestion was for the DoD to issue their own root certs (being their own root CA basically) _AND_ at the same time, if "the world" won't play, then they ISSUE THEIR OWN BROWSER, too.
While they're at it, I'd appreciate a firefox fork that had the "old school" interface (no flatso Australis, no hamburger, 3D looking buttons, nice colors). And, of course, one that ACCEPTS the DoD's CA.
-
Thursday 24th May 2018 21:50 GMT Anonymous Coward
Re: Why is self-signed such a bad idea ?
"And, of course, one that ACCEPTS the DoD's CA."
Which you should be able to configure yourself, relatively easily. The only person you may hurt that way is yourself and anyone who uses one of your browser instances.
Some of us would rather have the trusted CAs a little more dependent on doing a good, reasonably honest job on pain of bankruptcy, rather than a single nation government body that has a definite set of agendas and funding independent of what they do with certs.
-
-
Thursday 24th May 2018 16:23 GMT Pascal Monett
@ Serg
Please excuse me, but the fact that the largest whatever trust chain out there does not recognize DoD as a trusted root chain is neither here nor there. I'm not expecting anyones's browser to be happy about it, I'm expecting the people who need to access DoD websites to know that they're accessing the right ones.
Your remark tells me that browsers are basically beholden to the largest trust chain, which means that I can't trust who I choose to trust. For Joe User that may be a very good thing and I do not dispute that, but for specific military users, I'm not convinced that that is so useful.
-
Thursday 24th May 2018 22:05 GMT Anonymous Coward
Re: @ Serg
"Your remark tells me that browsers are basically beholden to the largest trust chain, which means that I can't trust who I choose to trust."
That's not it.
Every time you trust another CA, you provide a pre-built conduit for MITM attacks. That's why the number of universally trusted CAs should be as small as is practicable for the majority of users.
If you belong to a specific subpopulation willing to trust a specific organizational CA, you can add their root cert to your browser and you're done. Organizations do it as a matter of course, to spy on secure web sessions originating from corporate or government machines... sometimes for operational purposes, sometimes for security purposes, but never, ever, ever for abusive purposes - just ask them.
I do not trust any browser with a locally added root cert to maintain privacy or security.
If you want privacy at the very least, boot into your own OS and use your own clean browser instance... far better to use your own computer and a VPN tunnel to the Internet outside your current local network, or wait till you are somewhere else if that is not practical.
Here we are looking at consolidating all the MITM decryption / re-encryption into specialized hacking boxes so all the different snooping tools - network monitor/recorder, intrusion prevention, loss prevention, policy based firewall, filter proxy, etc - don't have to do the same work repeatedly... we'll just put in a decrypted VLAN, and route the traffic through each in turn before packing it up again and wiping off the fingerprints.
Limiting automatically trusted CAs and certs id far better than exposing every browser user in the world to another attack vector.
-
-
Thursday 24th May 2018 21:44 GMT Anonymous Coward
Re: Why is self-signed such a bad idea ?
"While your utopian idea is all well and good, the problem is that the largest PKI trust chain out there - which includes the most common Web browsers - doesn't recognise the DoD as a trusted root CA. So, you know, might want to fix that first - provided they can satisfy the other members that they're trustworthy."
Of course, no one in the DoD would ever find a reason to impersonate someone else's server....
....
....
...
um, moving on...
-
Thursday 24th May 2018 07:55 GMT tom dial
Re: Why is self-signed such a bad idea ?
DoD has operated an internal CA for quite a few years. They install the necessary stuff on machines used internally and for telework and provide the certificates for internally developed or operated applications. I do the same on my internal private network.
-
-
Thursday 24th May 2018 17:25 GMT tom dial
Re: Why is self-signed such a bad idea ?
I don't know whether the DoD root certificates (and there are a number) still are available publicly, but they used to be. If obtained in a reasonably secure way and installed manually in a browser, the second purpose also would be satisfied, I believe.
I recall doing that a number of years ago when I worked for DoD and they required most accesses to be made through their VPN using government owned and maintained equipment.
-
Saturday 26th May 2018 09:34 GMT Adam 1
Re: Why is self-signed such a bad idea ?
> - To encrypt the connection to
> the endpoint.
> - To verify that the endpoint is
> the intended recipient.
> Self-signed combats the first
> but not the second.
A subtle point here that I suspect Lee understands but others may have missed.
The first point is more correctly stated as "To encrypt the connection to some endpoint". If you deliver your site over a self signed certificate, you cannot be sure that the self signed certificate presented to the browser is the one you sent. Here is the scenario in action.
1. Alice visits bob.com from Mallory's internet cafe.
2. Mallory intercepts the initial clienthello negotiation and sends a fake serverhello with a self signed bob.com certificate.
3. Simultaneously, Mallory does her own clienthello to the real* bob.com and negotiates everything from there.
4. When Mallory gets the response back from bob.com, she decrypts it with the negotiated session key between her and the real site, then re encrypts that stream with the session key she negotiated with Alice.
5. The process is reversed for sending any requests to the server.
Realise that neither Alice nor Bob see anything unusual in this interaction. Alice would be informed by a big red warning box in her browser that the certificate is untrusted. The problem in our scenario is that this is exactly the error she will see where communicating with bob.com without Mallory in the middle.
*A comment on real site in this context. Even Mallory could not know in this step whether another mitm exists between her and bob.com. It's turtles from there.
-
-
Thursday 24th May 2018 06:27 GMT lglethal
Here's an Idea
Maybe we need to convince Americans that Encryption is like a gun (maybe by calling it something like WEAPON (Website Ecryption to Add protection On the iNternet)). And that every american (website) needs to have a WEAPON to defend itself.
And since it's all about the protection offered by your gun, sorry WEAPON, and not about the having the biggest shiniest thing on the market, then we could be sure that every American website would suddenly implement the biggest strongest WEAPON it could have.
Then we can convince the Courts that the second amendment was really talking about online WEAPON's as well, and we can kill off the FBI's and NSA's attempt to back door and destroy encryption. We all win!
Get to it my American friends! Get to it!
-
Thursday 24th May 2018 16:15 GMT bombastic bob
Re: Here's an Idea
"Maybe we need to convince Americans that Encryption is like a gun"
Back in the early 90's, it was. Exporting encryption technology carried restrictions such that "strong" encryption technology could not be exported. This resulted in a number of _BAD_ things, from 'weak' https in U.S.-written web browsers, to Korea's SEED encryption (which is ActiveX based among other BAD things).
So yeah, this paradigm of 'encryption as a weapon' - already tried, and the unintended consequences were just *BAD*.
-
Thursday 24th May 2018 16:19 GMT Bill Gray
Re: Here's an Idea
You jest, but I do wonder if you may be on to something here.
I would submit to the Court that encryption has been subject to weapons export restrictions under US law in the past. In effect, it is already the stance of the US Government that encryption is a weapon. Further, the language of the Second Amendment (the bit about "a well-regulated Militia") makes it clear that the intent of its authors was to ensure the ability of citizens and individual States to resist tyranny. Communicating without governmental eavesdropping is clearly important to that ability.
-
Thursday 24th May 2018 07:33 GMT Anonymous Coward
Speaking of authority
It's probably hard for others in the DoD to take anything that comes out of OPM seriously (and by extension, anything coming from D-Wyden and a former ACLU operative). Given, that OPM hosted the most colossal national security breach of all time when Chinese intelligence hacked its entire excruciatingly detailed data-base of all U.S. govt. security-clearance holders past and present (21M) - during which the head of OPM continued to tour and sing the praises of "diversity-hiring" in her agency - the agency has a credibility problem of its own. Many probably see its high-minded attempts to secure admittedly sloppy security in the DoD as more of a diversion than a serious attempt to effectively remedy the problem.
-
Friday 25th May 2018 02:37 GMT JBowler
He get's my vote, and I'm a registered republican
Wyden has been consistently pushing tech issues, and pushing them in the right direction. He got my vote in 2016 and, so far, he is going to get it again in 2022.
In the US we rely on the Senate to push the Federal government in the right direction - the senators have six year terms compared to the president's four and they tend to gravitate to fixed and fairly representative positions as a result.
Whatever the "abolish the government" part of the Republican party may say there are real parts of the government that can actually be fixed and, in that respect, it's not different to the UK government. Government website security *and* accessibility are real issues that have to be fixed in both countries. That really is the job of the Senate in the US (not sure who is responsible in the UK, last I knew you were using Round Tuit's).