White House Proposal Urges All Federal Websites To Adopt HTTPS 155
blottsie writes: In an effort to close security gaps that have resulted in multiple security breaches of government servers, the Obama administration on Tuesday introduced a proposal to require all publicly accessible federal websites to use the HTTPS encryption standard. "The majority of federal websites use HTTP as the as primary protocol to communicate over the public Internet," reads the proposal on the website of the U.S. Chief Information Officer. "Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services."
Oh the irony! (Score:2, Interesting)
It hurts right in the NSA
Re: (Score:1)
Hold your horses. Have you seen the host key that they're supposed to use?
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1, Insightful)
Which has little relevance to his administration supposedly worrying about privacy while overseeing and defending the largest domestic surveillance program in histroy.
What?? (Score:2)
You mean to say they don't currently?
Re: (Score:2)
Currently, I'm on http://it.slashdot.org/ [slashdot.org]
They're doing the 90s Security Secret Sauce thing, where using encryption somehow means security. They don't have a threat model for this; they just said, "Oh, we get hacked sometimes! Turn on HTTPS!"
Breaking news: Republicans against HTTPS (Score:4, Funny)
In the wake of the Obama Administration encouraging use of HTTPS, Ted Cruz was reported as saying that encryption was a government conspiracy to deprive godfearing Americans of their privacy.
Re: (Score:2)
In the wake of the Obama Administration encouraging use of HTTPS, Ted Cruz was reported as saying that encryption was a government conspiracy to deprive godfearing Americans of their privacy.
I'm sure there will be exceptions made for presidential candidates who prefer to run their own web severs from their homes, Hillary style....
Re: (Score:2)
Ask yourself what you would be more likely to transmit over an HTTPS connection aside from financial details.
Interdasting... (Score:4, Insightful)
Re: (Score:1)
Why try to break the encryption, when you can simply man in the middle the connection?
Re: (Score:2)
If only there was some method of validating that party on the other end of a connection is the party you want to contact instead of a man in the middle.
Re: (Score:2)
So that must be why we never heard of man in the middle attacks ever happening in the wild right? It's not like people of been able to forge certificates, install proxy certificates to man in the middle of the traffic, etc. Yeah, that's just all science fiction.
Re: (Score:3)
HTTPS doesn't make MITM attacks impossible, but it does make them much, much harder.
Re: (Score:3)
I'm okay with reducing the man-in-the-middle attack surface to such a small group.
Re: (Score:3)
While those things are possible, they are far from easy. Your garden variety script kiddie can't do that. Even far more skilled types would have to find a way to get malware onto your machine first, and have it go unnoticed. Realisticly, only governments can pull off these attacks. While that means https isn't perfect, it's far better to be vulnerable to a few than vulnerable to everyone.
Re: (Score:2)
Far from easy? I think Lenovo customers would like to have a word with you.
Re: (Score:2)
Thanks for sharing that.
Re: (Score:2)
Re: (Score:2)
The new source will be hackers once again taking over servers and serving up or injecting their own content.
We still have admins around that can't properly implement a webserver let alone ensure HTTPS is setup properly.
Re: (Score:2)
Or you just simply bought a Lenovo laptop?
Re:Interdasting... (Score:5, Insightful)
Re: (Score:2)
FWIW, just because the NSA does something doesn't mean every other government employee or agency approves or is culturally aligned with that attitude. This effort represents a genuine push by a self-selected group that is privacy-conscious, interested in doing the technically right thing, and for the first time in a position within the government to actually start making the Right Thing reality. Interested in joining us?
https://www.whitehouse.gov/usd... [whitehouse.gov]
https://18f.gsa.gov/ [gsa.gov]
Not just for government. (Score:5, Insightful)
There's virtually no excuse to be running a website without SSL. It doesn't matter what kind of site you run. It should really be law that all sites on the internet move to SSL.
Re: (Score:2)
It should really be law that all sites on the internet move to SSL.
Yeah! Why won't the government finally get on our backs!
Re: (Score:2)
Yeah, and I hear that that OpenSSL library is super secure.
Re: (Score:1)
Not all sites deal in private information.
Re: (Score:2, Interesting)
Re: (Score:2)
Not all sites deal in private information.
Yes, they do. The information I transmit to the site in the form of an HTTP request is something I want to be private from prying eyes. I don't care if it's not anything particularly incriminating! It's just no one else's business but mine and that website.
The things my mom texts me aren't sensitive - "Hi son! Here's a picture of my dog napping outside!" - but they're certainly private and I'd be pissed if I thought anyone was reading them. Every web request, every chat message, every email should be consid
Re: (Score:3)
plus, once you run https, bad fuckers like comcast and verizon won't be able to INSERT ADS into your web stream!
so, its not just about privacy. its also wanting to know that no data is modified en-route and that what you see IS what you got, and not some ISP modified stream that they THINK you wanted, instead.
if you don't want the privacy argument, at least you (in general) should agree that https keeps your data stream from being modified on-the-fly by isps!
Re: (Score:2)
Privacy is in the eye of the individual. Is the location of an AIDS clinic private information? No, but the fact that you're looking for that information could be intensely private. Is the location of a US embassy private? Job postings? Things we think of as non-private information here could get you detained or worse if your Internet connectivity is monitored by an oppressive government. We want the information on government web sites to be useful and for people to feel safe and comfortable accessing
Re: (Score:1)
There's virtually no excuse to be running a website without SSL. It doesn't matter what kind of site you run.
Tell that to the Slashdot developers. They clearly can't do Unicode correctly, what makes you think they are capable of implementing SSL correctly?
Re: (Score:3)
I spent MANY posts trying to convince one of the big electronics (diy style) forums to convert over to https and the admins there either dont get it or simply don't care. its very sad ;(
eevblog - we're WAITING for you to join the rest of the modern world by turning on https. many of us ask for it but you don't seem to care. I hope you care sooner rather than later.
Re: (Score:2)
I'd also love to know how you'd propose to pass a law outlawing non-SSL sites worldwide.
No, a far saner better approach is to make using SSL certificates both easy and inexpensive, so that it's a no-brainer for anyone administering a site to do. In fact, this is already starting to happen, but it's definitely not there yet.
Re: (Score:2)
Except that it's a massive cash grab, that some servers don't support the use of virtual domains over SSL, that those servers which do require single certificates signed to a *.something domain and those certificates can't be gotten for free, or are even cheap.
Doesn't sound too bad except with the IPv4 space now exhausted there's a hell of a lot of virtual hosting going on online.
If I'm wrong please someone correct me on this because I was using multiple subdomains in a virtual hosting scenario before I dec
Re: (Score:3)
WinXP users still using Internet Explorer (Firefox/Chrome are workarounds), but WinXP is out of support for a year now -- so maybe you should stop pandering to them.
Older versions of Android and iOS - we're talking really old versions (Android 2.x, iOS 3).
Older versions of Windows IIS before 8.x - but Win2003 servers go out of support this coming year, so you should be migrating off.
Two to
Re: (Score:2)
> There's virtually no excuse to be running a website without SSL.
SSL key authentication for distant sites taking many small transactions is expensive, slows the transmissionf of the critical information, and actually presents an electricity and cooling cost on both ends. For content that is GPG signed separately, such as a bulk webiste mirroring thousands of software packages and update packages, it can be quite burdensome.
No excuse? BS. (Score:3)
I operate government websites that serve physics data to the public.
HTTPS would require additional CPU for the SSL processing and bandwidth because it would make requests non-cacheable.
Not to mention that it would make the intrusion detection system attached to the router completely useless, so we'd lose a layer of security and it would make it more difficult to detect probing across the network and other 'slow' attacks. It would also prevent us from doing auditing after an exploit is known but before we'v
Re: (Score:2)
Hi oneiros27, please take a look at the open issues and provide your feedback at https://github.com/WhiteHouse/... [github.com]
The "additional CPU" nowadays for SSL is fairly trivial. If you've done some experiments that demonstrate a meaningful performance impact, and you can quantify the costs of that, we'd LOVE your feedback so that we can help you mitigate that or convince you that the benefits are worth the costs. We'd like to see data here.
Likewise with the caching issue. The use of CDNs can mitigate some of th
Re: (Score:2)
Who's going to pay for the CDN? My data is growing at > 1TB/day, and I have no idea what's going to be of interest on any given day.
And as for CPU cost ... are you going to pay for the sysadmin time to migrate all of our services? Or any of the other solutions that you're proposing?
Our servers have been certified as 'low' risk for years, because we're specifically distributing data with *no* access restrictions. We've had to fight for our 'low' ... and then have to explain to the security auditors eve
Re: (Score:2)
Who's going to pay for my car insurance? In 20 years I've never had an accident, why should I need to have insurance?
Re: (Score:2)
Not similar. OP curates data that is supposed to be freely available, so hacking in to get data is irrelevant (although it's probably easier to use the provided interface). There's other things hackers can do, but I don't see how they're made more difficult by using HTTPS.
Re: (Score:2)
Please follow up at https://github.com/WhiteHouse/... [github.com]. We are keen to understand these issues and find solutions. We also do know a thing or two about web hosting and HTTPS.
Re: (Score:2)
Remember when Google switched GMail from HTTP to mandatory HTTPS back in 2010? You know what they had to do to cover the new TLS overhead in CPU, memory, and network bandwidth? Nothing [imperialviolet.org]. The biggest thing they did was patch OpenSSL to reduce memory per connection, and that patch has already been integrated upstream.
I'm not saying the other issues aren't real, but overhead is really unconvincing unless your network load balancer is a potato.
Re: (Score:2)
No, those are not good or valid reasons. I could leave my keys in my car so that I save time having to figure out where I left them, but it's not a good idea.
"Additional CPU" - you're completely uninformed. Yes, there's more CPU usage, no it's not significant. Caching? There are ways around that. The problem with people like you is that you're smart in some ways, and intensely ignorant in others. You can't entertain the possibility that you might be dead wrong. My suggestion to you would be to learn
Re: (Score:2)
I am actually sympathetic to the idea of an exemption for raw public data sets not for human consumption. Today the default is HTTP and you have to have a good reason to go HTTPS. The goal here is to flip the default and get people thinking in terms of HTTPS by default. There is always room for exceptions from the rule. A use case like this seems like a reasonable exception. But the risk here is that the purpose or scope of the site changes. Maybe next year they're hosting raw data sets about somethin
Re: (Score:3)
Fortunately, more informed parties [zdnet.com] disagree with you:
Re: (Score:2)
Static pages for a personal site work fine. Lack of SSL means heartbleed didn't touch my server.
Heartbleed is a data-disclosure vulnerability. If you're not using SSL and you purport to host only pages that contain no sensitive or private information whatsoever, then what would Heartbleed--if it affected you--even disclose?
Re: (Score:2)
Re: (Score:2)
It can only disclose information within the web server process. If you're serving static web pages, is there any security-relevant information about the server within that process?
Re: (Score:2)
I'd like people to be penalized for being irresponsible. Not using HTTPS is irresponsible.
According To The News (Score:5, Funny)
Re: (Score:2)
Knowing bureaucracy it may well be that The Man would have a harder time getting your info from The Man than from another source.
Re: (Score:2)
Statistically the man in the middle is most likely to be The Man.
Given the prevalence of open WiFi, I feel like the most likely attack vector would be an eavesdropper than MITM.
Government CIO using GitHub? (Score:4, Interesting)
Re: (Score:2)
Yes.
Join us:
https://www.whitehouse.gov/usd... [whitehouse.gov]
https://18f.gsa.gov/ [gsa.gov]
Superfish is unstoppable (Score:1)
Superfish says psshhh.. whatever.
That's pretty messed up (Score:3)
That's pretty messed up when the government itself is concerned about government spying...
They will all use SSL3 with RC4 (Score:4, Funny)
No no no no no (Score:2)
Right now the various standards bodies are working on promoting end-to-end encryption.
There's many good reasons we can't presently adopt TLS for all communications, even for all websites: things like shared caches, fragmented support, and breakage of existing URLs that cannot change.
Encryption is, overall, a good idea. But when the government gets involved, it inevitably ends up promoting an obsolete technology since technology tends to run at 5^10 MPH (give or take).
Re: (Score:2)
If there are specific concerns you have with the memo as it applies to the federal agencies it's talking about, we'd love to get your feedback on how we can achieve these goals while minimizing the issues you allude to.
https://github.com/WhiteHouse/... [github.com]
This isn't about mandating HTTPS everywhere outside of government, and those agency sites that might perform worse due to losing intermediate caches can always implement the policy using existing CDNs to try and get the content as close to the user as possible
Re: (Score:2)
Its almost 0 government websites. Do you really think that there's any of those that don't have at least 1 form or login, even if only for employees? I doubt there's even one. Unsecured http is dieing, and good riddance to it.
Re: (Score:2)
I couldn't find a login there, though it doesn't have any personal information or data on it. Just statistics and articles. But putting in your email to subscribe is in plaintext.
There's almost no reason to not default to HTTP for everything. There's no reason to not just encrypt it, even for static pages. No real benefit, but no real loss either.
Re: (Score:2)
THey have a careers subpage. I would be willing to bet its got a form or two, and that's *very* personal info. I would also be willing to bet there's internal pages hosted on that website with logins.
Besides that, HTTPS would protect what pages you're visiting (even if plaintext knowing you're going to pages on, say worker's comp benefits is private information) allowing packet sniffers to only know what server you're hitting and not the exact page.
Remember- its not always what's on the page, its the fac
Re: (Score:2)
They have a careers subpage. I would be willing to bet its got a form or two, and that's *very* personal info.
http://www.nhtsa.gov/Jobs [nhtsa.gov] has no login at all I could see. Most sites like that will deep-link to https://www.usajobs.gov/ [usajobs.gov] which is secured-only. Seems to do pretty well at it today, but no reason to not turn on SSL for the sites with no personal information.
There's almost no reason to not default to HTTP for everything. There's no reason to not just encrypt it, even for static pages.
There is absolutely no reason to use HTTP for anything. Encrypting the connection costs very little, prevents you from having stupid mistakes by not encrypting things that need to be, and provides enhanced privacy to things you may not realize that person is sensitive on. There's no reason NOT to make HTTPS everywhere.
Yup, that's what I said. The only reason not to is if you have a very popular web site with only static content. SSL on that will drain resources for minimal gain.
Re: (Score:2)
Re: (Score:2)
For one standards, we can't even have browsers or site admins agree on a set of standards and stick to them. Compound that by HTTPS compliance in both the sites and then browsers. "Sorry my site only supports Brand X browser", Popup in browser "This site has a questionable security certificate".
Re: (Score:2)
Re: (Score:2)
There's no reason NOT to make HTTPS everywhere.
Sure there is: cost.
HTTPS is not free. You have to purchase a certificate for it to work. That certificate can cost more than the yearly hosting fee for your website, if you have some small, cheap website on a shared host for $3/month.
Why should you do this when there's no benefit whatsoever? Why should I care if the government can see that I'm reading some guy's home-made webpage about turtles or whatever?
Re: (Score:2)
www.nhtsa.gov uses an invalid security certificate.
The certificate is only valid for the following names: *.akamaihd.net , *.akamaihd-staging.net , a248.e.akamai.net , *.akamaized.net , *.akamaized-staging.net
(Error code: ssl_error_bad_cert_domain)
Re: (Score:2)
Au contraire - on government web sites where the content is public, the content should not be encrypted. That goes against all reason.
The only reason I see for this requirement is to make it easier to see who has accessed information where. With http and caching proxy servers it becomes a heck of a lot harder to trace users (which is also why Google hates http so much).
By all means, encrypt anything that is confidential or secret, but on public servers, nothing else.
Re:Only on some... (Score:4, Insightful)
Only if you're okay with a network-privileged attacker (someone on the wire--what HTTPS is designed to defend against) from:
* Recording what pages you're visiting
* Undetectably modifying the information presented on those pages
* Injecting their own advertising, browser-level tracking mechanism, or malware
There's a solid business case for HTTPS-encrypting static pages with minimal privacy risks, just because of the threat of having unauthorized parties (i.e., ISPs) inject their own advertising.
Re: (Score:2)
Adopting a solution which doesn't actually work isn't helping anyone, it's just creating more work, and more profit for bad actors, and imposing an unnecessary cost on everyone else.
Come up with a *real* solution and we'll consider it.
Re: (Score:1)
I wonder which donor sells cirts?
Is that slang for cocaine? If so, the Bush Crime Family is who you are looking for. They've forced more African Americans to take that than even the CIA! They are horrible people that have destroyed so much of this country. They hate us and want us to die.
Re: (Score:2)
Static sites without forms, uploads, or sign ins, do not have any security benefit.
First, lots of things are sensitive. Would you want someone in the coffee shop watching you browse the NIH website for sexually transmitted diseases? It would be hideously expensive for each government agency to classify each and every URL as "OK for snooping" or "visitors probably want privacy", certainly several orders of magnitude harder and costlier than just saying that everything is sensitive and treating it accordingly.
Second, what's you're requirement for not having the security benefit? Given that
Re:Only on some... (Score:4, Informative)
Second, what's you're requirement for not having the security benefit? Given that certs are about $10 a year and require negligible resources, what is your compelling reason for not having encryption by default?
Don't the government have their own CA? The cost to cut a cert should be less than $0.04. I know this because I've set up a real CA and $0.04 per cert included the costs of the operations along with the profit. The actual computing cost is negligible. The costs are the premises and pay for employees, spread out across all the certs they cut.
Re:Only on some... (Score:4, Insightful)
Heck the govn't has its own TLD and doesn't even use it for all of their hostnames...
Quick - where is the "official" place to get your free annual credit report? Is it freeannualreport.com or freeannualcreditreport.com or what? Wouldn't it be nice if it were creditreport.ftc.gov ? I (and most other slashdot users who get a little paranoid about this type of thing) simply go to the FTC site and follow the link from there, but having it on a .gov domain would let me know for sure some squatter didn't get ahold of it...
Re: (Score:2)
Uh, no.
Remember it's not just someone else seeing the data you view or send to the server, it's also about the data that the server sends you.
Lets say you go to the census website. Is the PDF you are about to download really from their site, or has a MITM attack replaced the data with a file that contains an exploit? Included a javascript with malicious code? Or, just making the site display incorrect information.
Data from HTTPS sites is both encrypted and authenticated as coming from someone who has a vali
Re: (Score:2)
Not entirely true, I can't do much about you knowing I connected to www.dol.gov, but TLS would prevent you from know if I was researching whistle-blower laws or just after some employment statistics to make a decision about what sectors to invest my 401K in.
Even for just viewing mostly static content TLS does afford some privacy which may be important in some situations. I will concede though that compared to most other threats to online communications this is probably of least concern.
Re: (Score:1)
Nothing. This for appearances.
Re: (Score:3)
It stops third parties from reading or modifying (including replacing entirely) the data in transit between the server and client. (For a certain value of "stops".)
Re: (Score:2)
Only governments are really in a position to mount a credible MITM against your communications with said governments, so it's good advice. It will help protect you against information leakage to anyone other than your government, who presumably either has all the relevant information on you already, or is in the process of getting it when you are using these HTTPS connections
Re: (Score:3)
you are 1000% wrong.
here's why: corporate america and windows or mac pre-installs by corp IT.
yes, they install their own fake certs. did you know that?
and did you know that when you get a lock icon on your browser, that you are authenticating with the firewall at your company and NOT the end IP ??
companies have been doing this for about 10 yrs. I interviewed at a company (yes, bluecoat..) a long time ago and they told me straight out that their software does (did) that and that they were proud of how they
Re: (Score:3)
The question isn't whether you're paranoid, it's whether you're paranoid enough. Why would you be doing your personal stuff at work if you cared about privacy?
Re: (Score:2)
First off they are not fake certs, they are they are just issued by the companies internal certificate authority.
Your corporate laptop does not belong to you. It was given to you to do the work the company pays you for not for your personal banking or anything else. It isn't the least bit unreasonable for them to configure it how they choose with whatever certificate trusts they want. Again its not your computer you can decide if you trust it/them with your personal stuff or not.
Additionally I can tell y
Re: (Score:2)
Re: (Score:2)
So you don't think that gov has resources to still MITM your traffic by using HTTPS?
No, I don't think it matters if the gov MITMs my traffic to a .gov site.
Re: (Score:2)
Indeed, from a server admin perspective, my server is safer if it only runs http. https/TLS is meant to prevent user that have access to the traffic to sniff it which is a different topic. I am not sure if the president is aware of this but hey, I hear plenty of things like that every day.
Re:Rules for some, or everyone? (Score:4, Informative)
I don't know. She should probably check the configurations of Jeb Bush's [cnn.com] and Rick Perry's [politicalwire.com] private email servers before making a decision.
Re: (Score:2)
Wow. Troll? So pointing out hypocrisy is trolling? LOL Slashdot.
Re: (Score:3)
Re: (Score:2)
Yeah - they are all the same. Blah.
I guess every time one party does something, we need to point out examples of the other party doing the same thing.
Additionally, the people complaining about the private servers are not Jeb Bush or Rick Perry (or at least, they are not leading the attack).
Re: (Score:2)
I guess every time one party does something, we need to point out examples of the other party doing the same thing.
Yes, so we remember that both sides are corrupt.
Additionally, the people complaining about the private servers are not Jeb Bush or Rick Perry (or at least, they are not leading the attack).
Actually both of those people did come out to attack Hillary and then afterwards had their own private email servers made public. So I see no problem with the fact that people are bringing to light their hypocrisy.
Re: (Score:2)
I already installed STARTTLS on Mrs. Clinton mail server last week.
Re: (Score:2)
I'm going to guess that the proposal to adopt HTTPS for Federal websites does not apply to an individual's personal SMTP and IMAP servers, even if they're used for Federal business. Just a guess.
Her webmail did appear to use HTTPS.
Re: (Score:3)
How is it not a real cert? Qualys indicates the cert on the HTTPS site is issued by GoDaddy.