Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Encryption Government The Internet United States

White House Proposal Urges All Federal Websites To Adopt HTTPS 155

blottsie writes: In an effort to close security gaps that have resulted in multiple security breaches of government servers, the Obama administration on Tuesday introduced a proposal to require all publicly accessible federal websites to use the HTTPS encryption standard. "The majority of federal websites use HTTP as the as primary protocol to communicate over the public Internet," reads the proposal on the website of the U.S. Chief Information Officer. "Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services."
This discussion has been archived. No new comments can be posted.

White House Proposal Urges All Federal Websites To Adopt HTTPS

Comments Filter:
  • Oh the irony! (Score:2, Interesting)

    It hurts right in the NSA

    • by Anonymous Coward

      Hold your horses. Have you seen the host key that they're supposed to use?

      • by MAXOMENOS ( 9802 )
        -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP v. NSA-1 mQINBFPOzTUBEADT1kIEMY1Ix+9DyNfGHE9HPjLSI/Ybnsn/bbx8cWmeAktoYjBS q29mJ0tchjyG8KP38vlkvfNYKn80985a/p7ZKupxOm1dDyAn5TZguDG2fEgCYxcB FxfMjGKLEFOS6hlPVh/3bm7xEvRuB5P/5Wdch9/UK11qLE3hlDlhnT1zq82Sk4G8 OWnH8BLA8XuRAdwAdri7U2OmNPqCld EZ CRACK Qk7tYi0Rwc55c65U4gGSuY qw3QzQ6X4TecFO/jUPBnnVb5YcYKxVw75PYF6NnKbbsnDYJoNg8bpEP2SVC0FWNK 2rKYsGsbcco2/ruJuQsThVcuH3l07cAKaSzt+eb5+FWWzsojbSeXwD8yZocfPvEL eaa0 NO SERIOUSLY EASY TO CRACK bD9PDX3C5gyPj78mzDlhytLTCsdtL1Uq
    • Why, they can just get it all with a freedom of information act request.
    • Given that Obama doesn't care about our privacy (he tells the NSA what to do), we can resonably conclude that https is broken.
  • You mean to say they don't currently?

    • Currently, I'm on http://it.slashdot.org/ [slashdot.org]

      They're doing the 90s Security Secret Sauce thing, where using encryption somehow means security. They don't have a threat model for this; they just said, "Oh, we get hacked sometimes! Turn on HTTPS!"

  • by Pope Hagbard ( 3897945 ) on Tuesday March 17, 2015 @05:59PM (#49279483) Journal

    In the wake of the Obama Administration encouraging use of HTTPS, Ted Cruz was reported as saying that encryption was a government conspiracy to deprive godfearing Americans of their privacy.

    • In the wake of the Obama Administration encouraging use of HTTPS, Ted Cruz was reported as saying that encryption was a government conspiracy to deprive godfearing Americans of their privacy.

      I'm sure there will be exceptions made for presidential candidates who prefer to run their own web severs from their homes, Hillary style....

    • If any 3 letter agencies have had their hands in it like other encryption projects it's probably safe to assume they have a method to make HTTPS sniffing decrypting a trivial exercise.

      Ask yourself what you would be more likely to transmit over an HTTPS connection aside from financial details.
  • Interdasting... (Score:4, Insightful)

    by grimmjeeper ( 2301232 ) on Tuesday March 17, 2015 @06:00PM (#49279493) Homepage
    It's not a bad idea to run HTTPS. It makes it inconvenient to hack connections and makes people work for it. But I found this quote to be amazingly ironic: "Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services."
    • Why try to break the encryption, when you can simply man in the middle the connection?

      • by blueg3 ( 192743 )

        If only there was some method of validating that party on the other end of a connection is the party you want to contact instead of a man in the middle.

        • So that must be why we never heard of man in the middle attacks ever happening in the wild right? It's not like people of been able to forge certificates, install proxy certificates to man in the middle of the traffic, etc. Yeah, that's just all science fiction.

          • HTTPS doesn't make MITM attacks impossible, but it does make them much, much harder.

          • by blueg3 ( 192743 )

            I'm okay with reducing the man-in-the-middle attack surface to such a small group.

          • by mcl630 ( 1839996 )

            While those things are possible, they are far from easy. Your garden variety script kiddie can't do that. Even far more skilled types would have to find a way to get malware onto your machine first, and have it go unnoticed. Realisticly, only governments can pull off these attacks. While that means https isn't perfect, it's far better to be vulnerable to a few than vulnerable to everyone.

            • Far from easy? I think Lenovo customers would like to have a word with you.

            • by AK Marc ( 707885 )
              Script kiddie can easily break your HTTP with a MITM. DNS hijacking, and other means, essentially undetectable when you are unencrypted. But encrypted, redirecting you won't help, unless you perform bad user actions. HTTPS will (in nearly all cases) report a problem if someone were to hijack your DNS or perform common MITM attacks.
      • If the stream is hardened go for the lame duck.

        The new source will be hackers once again taking over servers and serving up or injecting their own content.

        We still have admins around that can't properly implement a webserver let alone ensure HTTPS is setup properly.
    • Re:Interdasting... (Score:5, Insightful)

      by techno-vampire ( 666512 ) on Tuesday March 17, 2015 @06:18PM (#49279607) Homepage
      Using https to transmit sensitive information is the same as remembering to lock your car. It's not perfect and it won't stop a determined attack, but it's enough to prevent casual intrusions. And, of course, if somebody does break the encryption there's no way they can claim that they didn't know that the transmission was private.
    • by Fastolfe ( 1470 )

      FWIW, just because the NSA does something doesn't mean every other government employee or agency approves or is culturally aligned with that attitude. This effort represents a genuine push by a self-selected group that is privacy-conscious, interested in doing the technically right thing, and for the first time in a position within the government to actually start making the Right Thing reality. Interested in joining us?

      https://www.whitehouse.gov/usd... [whitehouse.gov]
      https://18f.gsa.gov/ [gsa.gov]

  • by kuzb ( 724081 ) on Tuesday March 17, 2015 @06:03PM (#49279513)

    There's virtually no excuse to be running a website without SSL. It doesn't matter what kind of site you run. It should really be law that all sites on the internet move to SSL.

    • It should really be law that all sites on the internet move to SSL.

      Yeah! Why won't the government finally get on our backs!

    • Yeah, and I hear that that OpenSSL library is super secure.

    • by Anonymous Coward

      Not all sites deal in private information.

      • Re: (Score:2, Interesting)

        by Anonymous Coward
        The concept of only some information being private is broken.
      • Not all sites deal in private information.

        Yes, they do. The information I transmit to the site in the form of an HTTP request is something I want to be private from prying eyes. I don't care if it's not anything particularly incriminating! It's just no one else's business but mine and that website.

        The things my mom texts me aren't sensitive - "Hi son! Here's a picture of my dog napping outside!" - but they're certainly private and I'd be pissed if I thought anyone was reading them. Every web request, every chat message, every email should be consid

        • plus, once you run https, bad fuckers like comcast and verizon won't be able to INSERT ADS into your web stream!

          so, its not just about privacy. its also wanting to know that no data is modified en-route and that what you see IS what you got, and not some ISP modified stream that they THINK you wanted, instead.

          if you don't want the privacy argument, at least you (in general) should agree that https keeps your data stream from being modified on-the-fly by isps!

      • by Fastolfe ( 1470 )

        Privacy is in the eye of the individual. Is the location of an AIDS clinic private information? No, but the fact that you're looking for that information could be intensely private. Is the location of a US embassy private? Job postings? Things we think of as non-private information here could get you detained or worse if your Internet connectivity is monitored by an oppressive government. We want the information on government web sites to be useful and for people to feel safe and comfortable accessing

    • by Anonymous Coward

      There's virtually no excuse to be running a website without SSL. It doesn't matter what kind of site you run.

      Tell that to the Slashdot developers. They clearly can't do Unicode correctly, what makes you think they are capable of implementing SSL correctly?

    • I spent MANY posts trying to convince one of the big electronics (diy style) forums to convert over to https and the admins there either dont get it or simply don't care. its very sad ;(

      eevblog - we're WAITING for you to join the rest of the modern world by turning on https. many of us ask for it but you don't seem to care. I hope you care sooner rather than later.

    • I'd also love to know how you'd propose to pass a law outlawing non-SSL sites worldwide.

      No, a far saner better approach is to make using SSL certificates both easy and inexpensive, so that it's a no-brainer for anyone administering a site to do. In fact, this is already starting to happen, but it's definitely not there yet.

    • Except that it's a massive cash grab, that some servers don't support the use of virtual domains over SSL, that those servers which do require single certificates signed to a *.something domain and those certificates can't be gotten for free, or are even cheap.

      Doesn't sound too bad except with the IPv4 space now exhausted there's a hell of a lot of virtual hosting going on online.

      If I'm wrong please someone correct me on this because I was using multiple subdomains in a virtual hosting scenario before I dec

      • Multiple certificates (SNI) over a single SSL IP address/port is a mostly solved issue. The only outliers are:

        WinXP users still using Internet Explorer (Firefox/Chrome are workarounds), but WinXP is out of support for a year now -- so maybe you should stop pandering to them.

        Older versions of Android and iOS - we're talking really old versions (Android 2.x, iOS 3).

        Older versions of Windows IIS before 8.x - but Win2003 servers go out of support this coming year, so you should be migrating off.

        Two to
    • > There's virtually no excuse to be running a website without SSL.

      SSL key authentication for distant sites taking many small transactions is expensive, slows the transmissionf of the critical information, and actually presents an electricity and cooling cost on both ends. For content that is GPG signed separately, such as a bulk webiste mirroring thousands of software packages and update packages, it can be quite burdensome.

    • I operate government websites that serve physics data to the public.

      HTTPS would require additional CPU for the SSL processing and bandwidth because it would make requests non-cacheable.

      Not to mention that it would make the intrusion detection system attached to the router completely useless, so we'd lose a layer of security and it would make it more difficult to detect probing across the network and other 'slow' attacks. It would also prevent us from doing auditing after an exploit is known but before we'v

      • by Fastolfe ( 1470 )

        Hi oneiros27, please take a look at the open issues and provide your feedback at https://github.com/WhiteHouse/... [github.com]

        The "additional CPU" nowadays for SSL is fairly trivial. If you've done some experiments that demonstrate a meaningful performance impact, and you can quantify the costs of that, we'd LOVE your feedback so that we can help you mitigate that or convince you that the benefits are worth the costs. We'd like to see data here.

        Likewise with the caching issue. The use of CDNs can mitigate some of th

        • Who's going to pay for the CDN? My data is growing at > 1TB/day, and I have no idea what's going to be of interest on any given day.

          And as for CPU cost ... are you going to pay for the sysadmin time to migrate all of our services? Or any of the other solutions that you're proposing?

          Our servers have been certified as 'low' risk for years, because we're specifically distributing data with *no* access restrictions. We've had to fight for our 'low' ... and then have to explain to the security auditors eve

          • by kuzb ( 724081 )

            Who's going to pay for my car insurance? In 20 years I've never had an accident, why should I need to have insurance?

            • Not similar. OP curates data that is supposed to be freely available, so hacking in to get data is irrelevant (although it's probably easier to use the provided interface). There's other things hackers can do, but I don't see how they're made more difficult by using HTTPS.

          • by Fastolfe ( 1470 )

            Please follow up at https://github.com/WhiteHouse/... [github.com]. We are keen to understand these issues and find solutions. We also do know a thing or two about web hosting and HTTPS.

      • Remember when Google switched GMail from HTTP to mandatory HTTPS back in 2010? You know what they had to do to cover the new TLS overhead in CPU, memory, and network bandwidth? Nothing [imperialviolet.org]. The biggest thing they did was patch OpenSSL to reduce memory per connection, and that patch has already been integrated upstream.

        I'm not saying the other issues aren't real, but overhead is really unconvincing unless your network load balancer is a potato.

      • by kuzb ( 724081 )

        No, those are not good or valid reasons. I could leave my keys in my car so that I save time having to figure out where I left them, but it's not a good idea.

        "Additional CPU" - you're completely uninformed. Yes, there's more CPU usage, no it's not significant. Caching? There are ways around that. The problem with people like you is that you're smart in some ways, and intensely ignorant in others. You can't entertain the possibility that you might be dead wrong. My suggestion to you would be to learn

  • by Greyfox ( 87712 ) on Tuesday March 17, 2015 @06:16PM (#49279599) Homepage Journal
    Statistically the man in the middle is most likely to be The Man. If you're talking to The Man, he doesn't even need to be in the middle, but he probably will be anyway. If you're a government employee using one of those, you'll be The Man, talking to The Man while being spied on by The Man! Delicious!
    • by Nethead ( 1563 )

      Knowing bureaucracy it may well be that The Man would have a harder time getting your info from The Man than from another source.

    • Statistically the man in the middle is most likely to be The Man.

      Given the prevalence of open WiFi, I feel like the most likely attack vector would be an eavesdropper than MITM.

  • by Nkwe ( 604125 ) on Tuesday March 17, 2015 @06:47PM (#49279767)
    Interestingly the "edit this page" link on the CIO page (linked in the article) takes you to GitHub. Is our government actually taking advantage of existing services instead of wasting all kinds of money developing their own content management system? Maybe there is hope.
  • Superfish says psshhh.. whatever.

  • by msobkow ( 48369 ) on Tuesday March 17, 2015 @07:37PM (#49280019) Homepage Journal

    That's pretty messed up when the government itself is concerned about government spying...

  • by schwit1 ( 797399 ) on Tuesday March 17, 2015 @08:12PM (#49280163)
    And the websites will require internet explorer.
  • Right now the various standards bodies are working on promoting end-to-end encryption.

    There's many good reasons we can't presently adopt TLS for all communications, even for all websites: things like shared caches, fragmented support, and breakage of existing URLs that cannot change.

    Encryption is, overall, a good idea. But when the government gets involved, it inevitably ends up promoting an obsolete technology since technology tends to run at 5^10 MPH (give or take).

    • by Fastolfe ( 1470 )

      If there are specific concerns you have with the memo as it applies to the federal agencies it's talking about, we'd love to get your feedback on how we can achieve these goals while minimizing the issues you allude to.

      https://github.com/WhiteHouse/... [github.com]

      This isn't about mandating HTTPS everywhere outside of government, and those agency sites that might perform worse due to losing intermediate caches can always implement the policy using existing CDNs to try and get the content as close to the user as possible

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...