back to article US Senator Ron Wyden to Pentagon: Encrypt your websites

As if trying to buy a flying fleet of F-35s wasn't enough, now the Department of Defense is being asked to secure its Websites. In a letter [PDF] sent by US Senator Ron Wyden (D-OR) to the DoD's CIO Dana Deasy, Wyden points out that HTTPS and HSTS (to direct browsers to the HTTPS site if they request the unencrypted version) …

  1. Mark 85
    Facepalm

    Insecure DoD websites... has anyone checked them for having a nasty that's spewing spam? If they can't protect their websites, can they actually protect the country? Enquiring minds and all that.

    1. Serg

      Lack of encryption in this case doesn't necessarily mean a vulnerable website - it does, however, mean bad security practices and a distinct lack of giving a toss about the site visitors'privacy.

      1. John Lilburne

        "it does, however, mean bad security practices"

        No it doesn't. Seems you have swallowed a whole bunch of Google crap.

        Had another phone call from web host yesterday wanting to sell me some SSL cert. Whining about lack of said site would cause it to be downgraded by Google search. Being as the site has no user login, no user commenting, no sales cart, and is linked to by Washington State University, University of Texas, University of North Carolina, Oxford University, National Academy of Science SF, National Academy of Science Mexico City, British Parliament, University College London, Natural History Museum London, Natural History Museum Venice, etc, etc, it is most likely not going to be downgraded unless Google want to degrade their search.

    2. TheVogon

      "CIO Dana Deasy, your certificate's from Akamai."

      Is it just me or does this not make sense - Your certificate's what is from Akamai? Surely an extra apostrophe or missing "are"?

      1. Anonymous Coward
        Anonymous Coward

        "your certificate's from Akamai."

        Your certificate is from Akamai.

        "certificate's" is a valid abbreviation even though it only saves a 'space' key-stroke.

        1. Anonymous Coward
          Anonymous Coward

          Re: "your certificate's from Akamai."

          ""certificate's" is a valid abbreviation even though it only saves a 'space' key-stroke."

          In standard English, this generally happens only with a small number of conventional items, mostly involving verbs. Hence it is rather ambiguous.

          1. Anonymous Coward
            Anonymous Coward

            Re: "your certificate's from Akamai."

            ""certificate's" is a valid abbreviation even though it only saves a 'space' key-stroke."

            In standard English, this generally happens only with a small number of conventional items, mostly involving verbs. Hence it is rather ambiguous.

            ================================================================

            No, in standard English, it almost always arises from the combination of a noun, and the verb 'is'.

            Depending on the context, an enormous number of nouns will fit. Next can come a noun, verb, adjective, or adverb, possibly with a preposition or other connector or modifier:

            The apple's red.

            The plane's slowly descending.

            The rocket's flying.

            The team's a joke.

            Dinner's ready.

            Pronouns also work, and can appear with a plural form of 'to be' as in "They're coming to visit tomorrow."

            Tense may also vary:

            The ship's already reached the dock.

            There is very little ambiguity in the above sentences due to syntactic modification of the form.

            Any ambiguity lies in unstated context or definitions of nouns, verbs, etc. which would exist regardless of the exact syntax used.

            For example, 'He's had a good run' is ambiguous because of the uncertainty in the noun referenced by 'he' and the myriad of meanings of 'run' which could fit the sentence - there are over a hundred recognized meanings including nouns, verbs, and adjectives the last time I counted in a good dictionary (the full Oxford, in many volumes - it was a good break from many hours doing math).

            It's not the syntax, it's the unstated definition and connotations that provide room to get confused.

            In fact, the conversation of educated native speakers of English is rife with examples of such forms - and the speech of other people who have become familiar and facile with the language.

            1. Anonymous Coward
              Anonymous Coward

              Re: "your certificate's from Akamai."

              "No, in standard English, it almost always arises from the combination of a noun, and the verb 'is'."

              Utterly wrong. See for instance http://m.sussex.ac.uk/informatics/punctuation/apostrophe/contractions

              All of your examples are terrible English. They would be downmarked on say essays or English papers as they cannot be easily differentiated from the possessive form and are therefore ambiguous and are not considered acceptable formal English.

    3. bombastic bob Silver badge
      FAIL

      I think it's time that the DoD stop using 3rd parties (especially akamai) for certs and ONLY issue their own. Browser makers will just have to get on board and recognize the DoD's root certs.

      If they won't, then it's time for the DoD to "issue it's own browsers", too. Wouldn't be that hard...

      1. Lee D Silver badge

        To be a CA you have to have a certain amount of transparency.

        Putting the DoD in as a trusted root to all browsers worldwide is going to raise eyebrows.

        It will literally allow them to pretend to be ANY secure website in the world (pinning etc. not withstanding).

        I know I wouldn't be happy to accept a US military agency to have a certificate root on my machines, and I'm just a personal user. Can you imagine, say, the Chinese government allowing it?

        (I'm sure, if they wanted to, they could get into my machine - it doesn't mean I should give them a master key to do so, however)

        What will happen is that browsers won't be able to put those roots in without MASSIVE backlash and potentially losing market share.

        You want to be a CA? Be a CA and follow the same procedures as all the other CAs, including external audit of their security. I'm not at all sure the DoD would allow that to happen.

        1. tom dial Silver badge

          Yet perhaps you are happy to trust a built in certificate from this issuer?

          TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3

          which, on my browser, shows up as expired.

          As far as I understand, having the CA certificate installed in the browser mainly automates (and with some browser/browser settings) enables site identity verification, key negotiation, and link encryption for sites using keys the CA signed. And any or all of the installed certificates can be disallowed at your option.

  2. Pascal Monett Silver badge

    Why is self-signed such a bad idea ?

    If the DoD creates a master certificate and all other military sites get theirs from the DoD, what's the problem ?

    Trusted certificates only mean they have been signed by a Cert Authority that is recognized by a central organism and we've seen that go badly already.

    I think it wouldn't be such a bad idea to have all military sites of a country have their own trusted authority. Sounds good from a security perspective, IMO.

    1. Serg

      Re: Why is self-signed such a bad idea ?

      While your utopian idea is all well and good, the problem is that the largest PKI trust chain out there - which includes the most common Web browsers - doesn't recognise the DoD as a trusted root CA. So, you know, might want to fix that first - provided they can satisfy the other members that they're trustworthy.

      Trust me, I'm a network engineer.

      (DYSWIDT?)

      1. Andraž 'ruskie' Levstik

        Re: Why is self-signed such a bad idea ?

        I don't know about you but the pile of bits in my browser that claim they trust each other etc... yeah I don't trust. And stuff that happened over the years with some - not exactly confidence inspiring as well.

      2. Anonymous Coward
        Anonymous Coward

        Re: Trust me, I'm a network engineer.

        Well I'm a whale biologist and I think you're right.

        1. chivo243 Silver badge

          Re: Trust me, I'm a network engineer.

          I'm a whale biologist and I think you're smelly ~ Whale Biologist!

        2. Jeffrey Nonken

          Re: Trust me, I'm a network engineer.

          I play Sombra in Overwatch and I agree with this statement.

      3. bombastic bob Silver badge
        Megaphone

        Re: Why is self-signed such a bad idea ?

        "the problem is that the largest PKI trust chain out there - which includes the most common Web browsers - doesn't recognise the DoD as a trusted root CA"

        sounds like "someone" didn't pay "someone else" enough PAYOLA to 'play in their sand box'.

        Yeah, I bet it's POLITICAL. Well, my earlier suggestion was for the DoD to issue their own root certs (being their own root CA basically) _AND_ at the same time, if "the world" won't play, then they ISSUE THEIR OWN BROWSER, too.

        While they're at it, I'd appreciate a firefox fork that had the "old school" interface (no flatso Australis, no hamburger, 3D looking buttons, nice colors). And, of course, one that ACCEPTS the DoD's CA.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why is self-signed such a bad idea ?

          "And, of course, one that ACCEPTS the DoD's CA."

          Which you should be able to configure yourself, relatively easily. The only person you may hurt that way is yourself and anyone who uses one of your browser instances.

          Some of us would rather have the trusted CAs a little more dependent on doing a good, reasonably honest job on pain of bankruptcy, rather than a single nation government body that has a definite set of agendas and funding independent of what they do with certs.

      4. Pascal Monett Silver badge

        @ Serg

        Please excuse me, but the fact that the largest whatever trust chain out there does not recognize DoD as a trusted root chain is neither here nor there. I'm not expecting anyones's browser to be happy about it, I'm expecting the people who need to access DoD websites to know that they're accessing the right ones.

        Your remark tells me that browsers are basically beholden to the largest trust chain, which means that I can't trust who I choose to trust. For Joe User that may be a very good thing and I do not dispute that, but for specific military users, I'm not convinced that that is so useful.

        1. Anonymous Coward
          Anonymous Coward

          Re: @ Serg

          "Your remark tells me that browsers are basically beholden to the largest trust chain, which means that I can't trust who I choose to trust."

          That's not it.

          Every time you trust another CA, you provide a pre-built conduit for MITM attacks. That's why the number of universally trusted CAs should be as small as is practicable for the majority of users.

          If you belong to a specific subpopulation willing to trust a specific organizational CA, you can add their root cert to your browser and you're done. Organizations do it as a matter of course, to spy on secure web sessions originating from corporate or government machines... sometimes for operational purposes, sometimes for security purposes, but never, ever, ever for abusive purposes - just ask them.

          I do not trust any browser with a locally added root cert to maintain privacy or security.

          If you want privacy at the very least, boot into your own OS and use your own clean browser instance... far better to use your own computer and a VPN tunnel to the Internet outside your current local network, or wait till you are somewhere else if that is not practical.

          Here we are looking at consolidating all the MITM decryption / re-encryption into specialized hacking boxes so all the different snooping tools - network monitor/recorder, intrusion prevention, loss prevention, policy based firewall, filter proxy, etc - don't have to do the same work repeatedly... we'll just put in a decrypted VLAN, and route the traffic through each in turn before packing it up again and wiping off the fingerprints.

          Limiting automatically trusted CAs and certs id far better than exposing every browser user in the world to another attack vector.

      5. Anonymous Coward
        Anonymous Coward

        Re: Why is self-signed such a bad idea ?

        "While your utopian idea is all well and good, the problem is that the largest PKI trust chain out there - which includes the most common Web browsers - doesn't recognise the DoD as a trusted root CA. So, you know, might want to fix that first - provided they can satisfy the other members that they're trustworthy."

        Of course, no one in the DoD would ever find a reason to impersonate someone else's server....

        ....

        ....

        ...

        um, moving on...

    2. tom dial Silver badge

      Re: Why is self-signed such a bad idea ?

      DoD has operated an internal CA for quite a few years. They install the necessary stuff on machines used internally and for telework and provide the certificates for internally developed or operated applications. I do the same on my internal private network.

    3. Lee D Silver badge

      Re: Why is self-signed such a bad idea ?

      TLS has two different purposes:

      - To encrypt the connection to the endpoint.

      - To verify that the endpoint is the intended recipient.

      Self-signed combats the first but not the second.

      1. Pascal Monett Silver badge

        @ Lee D

        Now that is an argument that I can understand.

        Thank you for enlightening me.

      2. tom dial Silver badge

        Re: Why is self-signed such a bad idea ?

        I don't know whether the DoD root certificates (and there are a number) still are available publicly, but they used to be. If obtained in a reasonably secure way and installed manually in a browser, the second purpose also would be satisfied, I believe.

        I recall doing that a number of years ago when I worked for DoD and they required most accesses to be made through their VPN using government owned and maintained equipment.

      3. Adam 1

        Re: Why is self-signed such a bad idea ?

        > - To encrypt the connection to

        > the endpoint.

        > - To verify that the endpoint is

        > the intended recipient.

        > Self-signed combats the first

        > but not the second.

        A subtle point here that I suspect Lee understands but others may have missed.

        The first point is more correctly stated as "To encrypt the connection to some endpoint". If you deliver your site over a self signed certificate, you cannot be sure that the self signed certificate presented to the browser is the one you sent. Here is the scenario in action.

        1. Alice visits bob.com from Mallory's internet cafe.

        2. Mallory intercepts the initial clienthello negotiation and sends a fake serverhello with a self signed bob.com certificate.

        3. Simultaneously, Mallory does her own clienthello to the real* bob.com and negotiates everything from there.

        4. When Mallory gets the response back from bob.com, she decrypts it with the negotiated session key between her and the real site, then re encrypts that stream with the session key she negotiated with Alice.

        5. The process is reversed for sending any requests to the server.

        Realise that neither Alice nor Bob see anything unusual in this interaction. Alice would be informed by a big red warning box in her browser that the certificate is untrusted. The problem in our scenario is that this is exactly the error she will see where communicating with bob.com without Mallory in the middle.

        *A comment on real site in this context. Even Mallory could not know in this step whether another mitm exists between her and bob.com. It's turtles from there.

  3. lglethal Silver badge
    Trollface

    Here's an Idea

    Maybe we need to convince Americans that Encryption is like a gun (maybe by calling it something like WEAPON (Website Ecryption to Add protection On the iNternet)). And that every american (website) needs to have a WEAPON to defend itself.

    And since it's all about the protection offered by your gun, sorry WEAPON, and not about the having the biggest shiniest thing on the market, then we could be sure that every American website would suddenly implement the biggest strongest WEAPON it could have.

    Then we can convince the Courts that the second amendment was really talking about online WEAPON's as well, and we can kill off the FBI's and NSA's attempt to back door and destroy encryption. We all win!

    Get to it my American friends! Get to it!

    1. Jeffrey Nonken

      Re: Here's an Idea

      I don't know whether to be offended by this or declare it Actually Pretty Funny.

      I think I'll punt, and be offended instead by your use of an apostrophe in a plural. You cad!

    2. bombastic bob Silver badge
      Stop

      Re: Here's an Idea

      "Maybe we need to convince Americans that Encryption is like a gun"

      Back in the early 90's, it was. Exporting encryption technology carried restrictions such that "strong" encryption technology could not be exported. This resulted in a number of _BAD_ things, from 'weak' https in U.S.-written web browsers, to Korea's SEED encryption (which is ActiveX based among other BAD things).

      So yeah, this paradigm of 'encryption as a weapon' - already tried, and the unintended consequences were just *BAD*.

    3. Bill Gray

      Re: Here's an Idea

      You jest, but I do wonder if you may be on to something here.

      I would submit to the Court that encryption has been subject to weapons export restrictions under US law in the past. In effect, it is already the stance of the US Government that encryption is a weapon. Further, the language of the Second Amendment (the bit about "a well-regulated Militia") makes it clear that the intent of its authors was to ensure the ability of citizens and individual States to resist tyranny. Communicating without governmental eavesdropping is clearly important to that ability.

    4. Eddy Ito

      Re: Here's an Idea

      How quickly they forget. Junger v. Daley, Bernstein v. United States, the PGP book, etc.

    5. G.Y.

      munitions

      US law _DOES_ define crypto as munitions. See http://www.mattblaze.org/papers/export.txt

  4. Anonymous Coward
    Mushroom

    Didn't IAF sent F-35 into battle recently?

    So probably the F-35 state is better than the Pentagon IT?

  5. Anonymous Coward
    Anonymous Coward

    Speaking of authority

    It's probably hard for others in the DoD to take anything that comes out of OPM seriously (and by extension, anything coming from D-Wyden and a former ACLU operative). Given, that OPM hosted the most colossal national security breach of all time when Chinese intelligence hacked its entire excruciatingly detailed data-base of all U.S. govt. security-clearance holders past and present (21M) - during which the head of OPM continued to tour and sing the praises of "diversity-hiring" in her agency - the agency has a credibility problem of its own. Many probably see its high-minded attempts to secure admittedly sloppy security in the DoD as more of a diversion than a serious attempt to effectively remedy the problem.

  6. Adam 52 Silver badge

    Authenticity

    "prove their authenticity ... and consider Let's Encrypt certificates"

    Oh dear.

  7. Alistair
    Windows

    This is from Ron WhyDumb? It will *not* proceed well. It will get up off the ground, travel a short distance in a straight line and collide with the best of intentions before discharging all weapons into Rons feet.

  8. My other car WAS an IAV Stryker

    DoD (heck, all US.gov) contractors

    They also need to be checked. I think the reasons why are obvious.

    There is usually plenty of language in the prime contracts to ensure contractors are secure -- and apply penalties -- but can that alone be, ahem, trusted?

  9. JBowler

    He get's my vote, and I'm a registered republican

    Wyden has been consistently pushing tech issues, and pushing them in the right direction. He got my vote in 2016 and, so far, he is going to get it again in 2022.

    In the US we rely on the Senate to push the Federal government in the right direction - the senators have six year terms compared to the president's four and they tend to gravitate to fixed and fairly representative positions as a result.

    Whatever the "abolish the government" part of the Republican party may say there are real parts of the government that can actually be fixed and, in that respect, it's not different to the UK government. Government website security *and* accessibility are real issues that have to be fixed in both countries. That really is the job of the Senate in the US (not sure who is responsible in the UK, last I knew you were using Round Tuit's).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like