Slashdot Mirror
White House Proposal Urges All Federal Websites To Adopt HTTPS
blottsie writes: In an effort to close security gaps that have resulted in multiple security breaches of government servers, the Obama administration on Tuesday introduced a proposal to require all publicly accessible federal websites to use the HTTPS encryption standard. "The majority of federal websites use HTTP as the as primary protocol to communicate over the public Internet," reads the proposal on the website of the U.S. Chief Information Officer. "Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services."
It hurts right in the NSA
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
we should all use pass words, too.
Its almost 0 government websites. Do you really think that there's any of those that don't have at least 1 form or login, even if only for employees? I doubt there's even one. Unsecured http is dieing, and good riddance to it.
I still have more fans than freaks. WTF is wrong with you people?
Nothing. This for appearances.
You mean to say they don't currently?
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
In the wake of the Obama Administration encouraging use of HTTPS, Ted Cruz was reported as saying that encryption was a government conspiracy to deprive godfearing Americans of their privacy.
OpenSSL's full of holes & the rest are questionable http://www.theregister.co.uk/2...
It's not a bad idea to run HTTPS. It makes it inconvenient to hack connections and makes people work for it. But I found this quote to be amazingly ironic: "Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services."
Does that go for Hillary's server too, or is it optional for people who hold high office?
an ill wind that blows no good
There's virtually no excuse to be running a website without SSL. It doesn't matter what kind of site you run. It should really be law that all sites on the internet move to SSL.
BeauHD. Worst editor since kdawson.
Leave it to some slashbot to argue against HTTPS.
? which donor sells cirts?
What a cirt? Is that another Bush Crime Family scam? What are they up to this time? Is this something that will hurt minorities?
Only if you're okay with a network-privileged attacker (someone on the wire--what HTTPS is designed to defend against) from:
* Recording what pages you're visiting
* Undetectably modifying the information presented on those pages
* Injecting their own advertising, browser-level tracking mechanism, or malware
There's a solid business case for HTTPS-encrypting static pages with minimal privacy risks, just because of the threat of having unauthorized parties (i.e., ISPs) inject their own advertising.
It stops third parties from reading or modifying (including replacing entirely) the data in transit between the server and client. (For a certain value of "stops".)
Statistically the man in the middle is most likely to be The Man. If you're talking to The Man, he doesn't even need to be in the middle, but he probably will be anyway. If you're a government employee using one of those, you'll be The Man, talking to The Man while being spied on by The Man! Delicious!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I wonder which donor sells cirts?
Is that slang for cocaine? If so, the Bush Crime Family is who you are looking for. They've forced more African Americans to take that than even the CIA! They are horrible people that have destroyed so much of this country. They hate us and want us to die.
Only governments are really in a position to mount a credible MITM against your communications with said governments, so it's good advice. It will help protect you against information leakage to anyone other than your government, who presumably either has all the relevant information on you already, or is in the process of getting it when you are using these HTTPS connections
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
http://www.nhtsa.gov/
I couldn't find a login there, though it doesn't have any personal information or data on it. Just statistics and articles. But putting in your email to subscribe is in plaintext.
There's almost no reason to not default to HTTP for everything. There's no reason to not just encrypt it, even for static pages. No real benefit, but no real loss either.
Learn to love Alaska
Interestingly the "edit this page" link on the CIO page (linked in the article) takes you to GitHub. Is our government actually taking advantage of existing services instead of wasting all kinds of money developing their own content management system? Maybe there is hope.
THey have a careers subpage. I would be willing to bet its got a form or two, and that's *very* personal info. I would also be willing to bet there's internal pages hosted on that website with logins.
Besides that, HTTPS would protect what pages you're visiting (even if plaintext knowing you're going to pages on, say worker's comp benefits is private information) allowing packet sniffers to only know what server you're hitting and not the exact page.
Remember- its not always what's on the page, its the fact you went to a specific page too.
There is absolutely no reason to use HTTP for anything. Encrypting the connection costs very little, prevents you from having stupid mistakes by not encrypting things that need to be, and provides enhanced privacy to things you may not realize that person is sensitive on. There's no reason NOT to make HTTPS everywhere.
I still have more fans than freaks. WTF is wrong with you people?
Static sites without forms, uploads, or sign ins, do not have any security benefit.
First, lots of things are sensitive. Would you want someone in the coffee shop watching you browse the NIH website for sexually transmitted diseases? It would be hideously expensive for each government agency to classify each and every URL as "OK for snooping" or "visitors probably want privacy", certainly several orders of magnitude harder and costlier than just saying that everything is sensitive and treating it accordingly.
Second, what's you're requirement for not having the security benefit? Given that certs are about $10 a year and require negligible resources, what is your compelling reason for not having encryption by default?
Third, there's a real and enormous benefit to having everything encrypted. If encryption is only applied to critical things, then the presence of encryption is a red flag that something is critical. When it's the normal, boring default mode and everything is encrypted, its presence is no longer an indicator that something sensitive is taking place.
Dewey, what part of this looks like authorities should be involved?
Superfish says psshhh.. whatever.
Second, what's you're requirement for not having the security benefit? Given that certs are about $10 a year and require negligible resources, what is your compelling reason for not having encryption by default?
Don't the government have their own CA? The cost to cut a cert should be less than $0.04. I know this because I've set up a real CA and $0.04 per cert included the costs of the operations along with the profit. The actual computing cost is negligible. The costs are the premises and pay for employees, spread out across all the certs they cut.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
you are 1000% wrong.
here's why: corporate america and windows or mac pre-installs by corp IT.
yes, they install their own fake certs. did you know that?
and did you know that when you get a lock icon on your browser, that you are authenticating with the firewall at your company and NOT the end IP ??
companies have been doing this for about 10 yrs. I interviewed at a company (yes, bluecoat..) a long time ago and they told me straight out that their software does (did) that and that they were proud of how they could pull the wool over corp citizens' eyes! ;( (no I did not take that job. it depressed me to think they took glee in such things).
almost every networking company is into data interception (calea or whatever). but you have to be more careful about what you do with corp built laptops! that's the #1 offender.
forget the gov. there's much corp america whores who will do whatever their big bosses say, and if that means preinstalling fake certs, they'll do it. anyone who says no loses their job.
welcome to america. your right to privacy is zero while at work, and we're all working to make sure it stays zero, even when you leave work. sigh ;( ;( ;(
--
"It is now safe to switch off your computer."
..recently. I think with the government planning to adopt it, it may finally get the widespread visibility to catch on amongst even non-governmental websites.
Exciting times we live in!!!
That's pretty messed up when the government itself is concerned about government spying...
I do not fail; I succeed at finding out what does not work.
Heck the govn't has its own TLD and doesn't even use it for all of their hostnames...
Quick - where is the "official" place to get your free annual credit report? Is it freeannualreport.com or freeannualcreditreport.com or what? Wouldn't it be nice if it were creditreport.ftc.gov ? I (and most other slashdot users who get a little paranoid about this type of thing) simply go to the FTC site and follow the link from there, but having it on a .gov domain would let me know for sure some squatter didn't get ahold of it...
Don't blame me, I voted for Kodos
www.nhtsa.gov uses an invalid security certificate.
The certificate is only valid for the following names: *.akamaihd.net , *.akamaihd-staging.net , a248.e.akamai.net , *.akamaized.net , *.akamaized-staging.net
(Error code: ssl_error_bad_cert_domain)
When you're dead, you don't know you're dead. It only affects the people around you. Same thing when you're stupid.
They have a careers subpage. I would be willing to bet its got a form or two, and that's *very* personal info.
http://www.nhtsa.gov/Jobs has no login at all I could see. Most sites like that will deep-link to https://www.usajobs.gov/ which is secured-only. Seems to do pretty well at it today, but no reason to not turn on SSL for the sites with no personal information.
There's almost no reason to not default to HTTP for everything. There's no reason to not just encrypt it, even for static pages.
There is absolutely no reason to use HTTP for anything. Encrypting the connection costs very little, prevents you from having stupid mistakes by not encrypting things that need to be, and provides enhanced privacy to things you may not realize that person is sensitive on. There's no reason NOT to make HTTPS everywhere.
Yup, that's what I said. The only reason not to is if you have a very popular web site with only static content. SSL on that will drain resources for minimal gain.
Learn to love Alaska
And the websites will require internet explorer.
The question isn't whether you're paranoid, it's whether you're paranoid enough. Why would you be doing your personal stuff at work if you cared about privacy?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Would this apply to Clinton's home email server? They couldn't even bother getting a real cert; or turning off the web admin stuff.
If its a popular site then the web servers are behind a load balancer which will offload ssl from the server. As a result you will have dedicated hardware handling encrypted communication as opposed to the servers themselves needing to terminate ssl. The drain on modern load balancers is so small as to be in any margin.
There is exceedingly little reason not to just encrypt everything these days. It's a safe default and sets a good example for other organizations. Imagine if we had a government that actually lead by example? That would be amazing
The government doesn't provide credit reports. The FTC site only links to the (non-government) credit reporting site, annualcreditreport.com. Since that is not a government site why why would you want it to be under the .gov domain?
Uh, no.
Remember it's not just someone else seeing the data you view or send to the server, it's also about the data that the server sends you.
Lets say you go to the census website. Is the PDF you are about to download really from their site, or has a MITM attack replaced the data with a file that contains an exploit? Included a javascript with malicious code? Or, just making the site display incorrect information.
Data from HTTPS sites is both encrypted and authenticated as coming from someone who has a valid cert for that website, and has very unlikely been altered by your ISP to include ads for example.
> There's a solid business case for HTTPS-encrypting static pages with minimal privacy risks,
Except, of course, that there have already been stolen root authorities and thus HTTPS signatures can be easily faked for man-in-the-middle monitoring. And especially since Lenovo decided to insert their own root authority without warning anyone, the Chinese government can now insert man-in-the-middle monioring on every Lenovo laptop htey can get router access adjacent to.
Oh, I'm sorry, did you think that HTTPS actually *authenticated* anything? I mean, for gods' sake, do you actually *trust* Digicert and Godaddy to not sign fake certificates when presented with ridiculous "Patirot Act" warrent free requests to cooperate, or else?
Yes there is a tough competition to analyze which services is better for us. But we have to checked moved on Https. This process will improve our website too.
Right now the various standards bodies are working on promoting end-to-end encryption.
There's many good reasons we can't presently adopt TLS for all communications, even for all websites: things like shared caches, fragmented support, and breakage of existing URLs that cannot change.
Encryption is, overall, a good idea. But when the government gets involved, it inevitably ends up promoting an obsolete technology since technology tends to run at 5^10 MPH (give or take).
Wonder what the public key field is for?
A lot of those built on a budget use something like Squid as the reverse proxy/load balancer. SSL on that will destroy your performance. Sure, if you bought $1,000,000 of F5 for your RP/LB, you could turn on SSL and not lose much. But then you probably way over-paid when you bought them in the first place. And hope you didn't buy an actual load balancer. Brocade ServerIron (or whatever they are calling their acquisitions from Foundry) is the best bang for the buck for performance for load balancing. About 1/100th the price of F5, but no features. You can't turn on SSL on the Brocade.
So yes, you could turn on SSL on your RP/LB, but only if you bought the wrong thing or way overpaid.
Learn to love Alaska
All of the above are valid concerns, which cannot (and should not) be ignored.
But what do you actually propose, then? That we do not use HTTPS (and SSL in general) at all? What is your suggestion of a feasible improvement to the current situation? Do you have any?
Pointing out the problem(s) is easy.
Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services."
MS, ALS, Aphasia ? http://globability.org - Me http://einarpetersen.com
Corollary
https://www.schneier.com/blog/archives/2015/02/everyone_wants_.html
F*ck them sideways, twice, if they are recommending this yet still haven't pardoned Snowden.
Not entirely true, I can't do much about you knowing I connected to www.dol.gov, but TLS would prevent you from know if I was researching whistle-blower laws or just after some employment statistics to make a decision about what sectors to invest my 401K in.
Even for just viewing mostly static content TLS does afford some privacy which may be important in some situations. I will concede though that compared to most other threats to online communications this is probably of least concern.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
First off they are not fake certs, they are they are just issued by the companies internal certificate authority.
Your corporate laptop does not belong to you. It was given to you to do the work the company pays you for not for your personal banking or anything else. It isn't the least bit unreasonable for them to configure it how they choose with whatever certificate trusts they want. Again its not your computer you can decide if you trust it/them with your personal stuff or not.
Additionally I can tell you outbound SSL interception is NECESSARY on corporate networks. In todays world of botnets and hacks you cannot claim to be doing due diligence to protect the company's trade secrets, financial data, IP assets, and all the PII of employees corporations handle if you just let everything go out the door in an opaque way like well a firewall rule that says "hey 443 outbound anything goes". Seriously if you still think this is an okay policy and a medium or large business and you have Security responsibilities, you should be fired.
Contrary to what you may think your IT Security department has better things to do than spy on your facebook likes and drug prescriptions. They don't care and in most cases actively don't want to know. What they do want is to make sure your traffic gets a pass over their IDS signatures, custom rules to grab anything with internal document numbers, botnet detection algorithms, etc. They also want to track statistically unusual large outbound transfers and log that they occurred so there is some evidence and some kind of history of events can get put together after the fact if something does happen. They probably log request headers etc for the same reason, but I doubt very much anyone looks at them, except when a need for forensic investigation arises.
I can tell, we never spied on our co-workers when I was managing system similar to bluecoat. We only tested capabilities within our group (with full knowledge) to make sure things worked. We were open about the fact they we inspected outbound traffic with the organization. Any employee who opened the handbook or read the first paragraph of our acceptable use policy they had to sign as part of their hiring documents knew we had these capabilities.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
I operate government websites that serve physics data to the public.
HTTPS would require additional CPU for the SSL processing and bandwidth because it would make requests non-cacheable.
Not to mention that it would make the intrusion detection system attached to the router completely useless, so we'd lose a layer of security and it would make it more difficult to detect probing across the network and other 'slow' attacks. It would also prevent us from doing auditing after an exploit is known but before we've been able to get the mod_security rules in place or whatever other mitigation.
So yes, there are perfectly valid reasons to *not* be running HTTPs. I know you couched your message with 'virtually', but blindly appying 'best practices' or whatever other recommendations without understanding what the implications will break systems. (and I have to file paperwork every year for every one of my web servers that doesn't comply with the CIS benchmarks)
ps. 'there should be a law for that' is the absolutely worse policy, as most people in legislature aren't tech-savy, and will just screw things up. I was actually against all of the Net Neutrality bills that were proposed because they'd have outlawed agressive spam filtering (blocking 'legal' communications, and the CAN-SPAM act defined that some spam is legal). You need flexibility and speed in dealing with most issues, and laws don't do either well.
Build it, and they will come^Hplain.
Joe Biden is a square shooter. Joe Biden for 2016!
Although the points are valid, there is a small part of me that says public information about the government should indeed be public. I know that HTTPS does not mean that the information is not public, but it does add another barrier to getting that information and provides a stronger mechanism of tracking who is accessing said information since HTTPS is necessarily stateful. Furthermore the encryption does take some compute power, meaning that more servers are needed to handle the same load at the same performance.
There are plenty of reasons not to put everything on the web under https.
For one standards, we can't even have browsers or site admins agree on a set of standards and stick to them. Compound that by HTTPS compliance in both the sites and then browsers. "Sorry my site only supports Brand X browser", Popup in browser "This site has a questionable security certificate".
I am Bennett Haselton! I am Bennett Haselton!
I'm seeing this currently daily without everything being HTTPS.
I am Bennett Haselton! I am Bennett Haselton!
There's no reason NOT to make HTTPS everywhere.
Sure there is: cost.
HTTPS is not free. You have to purchase a certificate for it to work. That certificate can cost more than the yearly hosting fee for your website, if you have some small, cheap website on a shared host for $3/month.
Why should you do this when there's no benefit whatsoever? Why should I care if the government can see that I'm reading some guy's home-made webpage about turtles or whatever?
Adopting a solution which doesn't actually work isn't helping anyone, it's just creating more work, and more profit for bad actors, and imposing an unnecessary cost on everyone else.
Come up with a *real* solution and we'll consider it.
Hi oneiros27, please take a look at the open issues and provide your feedback at https://github.com/WhiteHouse/...
The "additional CPU" nowadays for SSL is fairly trivial. If you've done some experiments that demonstrate a meaningful performance impact, and you can quantify the costs of that, we'd LOVE your feedback so that we can help you mitigate that or convince you that the benefits are worth the costs. We'd like to see data here.
Likewise with the caching issue. The use of CDNs can mitigate some of the performance impact you're worried about. If you're working with a specific scientific project or experiment where you need to shuttle around a lot of data, and are presently using HTTP and HTTP caching solutions to implement that, I would propose there are better ways of efficient data distribution. Again, submit an issue at the link above about this and someone can work with you to talk about your situation.
The IDS problem can be solved by moving the SSL termination to the other side of your IDS. It's not necessary for the origin server to serve HTTPS. It can also be resolved by changing your approach to IDS to one that doesn't require inspection of the payload at a distance from where it's served.
We do see privacy incidents routinely due to someone thinking "gosh, I didn't expect that would be private" or "I forgot to move that to the https site". We also routinely see ISPs and governments inject ads and tracking mechanisms into HTTP responses. We are also just simply concerned about the privacy and safety of people that browse government web sites and by standardizing on HTTPS everywhere, it eliminates the need for these mistakes and oversights and ensures a minimum bar for privacy and data integrity. It also makes it super easy to be FISMA compliant without having to spend extra to lock down a particular feature or product.
Please raise your concerns with the link given above and let's chat.
So you don't think that gov has resources to still MITM your traffic by using HTTPS?
I am Bennett Haselton! I am Bennett Haselton!
Who's going to pay for the CDN? My data is growing at > 1TB/day, and I have no idea what's going to be of interest on any given day.
And as for CPU cost ... are you going to pay for the sysadmin time to migrate all of our services? Or any of the other solutions that you're proposing?
Our servers have been certified as 'low' risk for years, because we're specifically distributing data with *no* access restrictions. We've had to fight for our 'low' ... and then have to explain to the security auditors every three years that what they're testing for doesn't apply to us.
(we have one of the highest 'incident' rate for our location, because they consider every attempt at a hack to be a 'incident', even though we haven't had any successful hacks in years).
Oh ... and of our staff of 2.5 sysadmins for our department, dealing with security audits and such takes up > 0.5 FTE for about 6-9 months or so when the security plans are updated and the audits are occuring ... so it's not cheap).
No more unfunded mandates ... if this is important enough ... give us the funding and resources to do it. (which likely means hiring another sysadmin, and more hardware)
I'd go back to FTP before I went to HTTPS.
Build it, and they will come^Hplain.
Remember when Google switched GMail from HTTP to mandatory HTTPS back in 2010? You know what they had to do to cover the new TLS overhead in CPU, memory, and network bandwidth? Nothing. The biggest thing they did was patch OpenSSL to reduce memory per connection, and that patch has already been integrated upstream.
I'm not saying the other issues aren't real, but overhead is really unconvincing unless your network load balancer is a potato.
The road to tyranny has always been paved with claims of necessity.
No, those are not good or valid reasons. I could leave my keys in my car so that I save time having to figure out where I left them, but it's not a good idea.
"Additional CPU" - you're completely uninformed. Yes, there's more CPU usage, no it's not significant. Caching? There are ways around that. The problem with people like you is that you're smart in some ways, and intensely ignorant in others. You can't entertain the possibility that you might be dead wrong. My suggestion to you would be to learn how to do your job, or retire so someone who knows better can take it.
BeauHD. Worst editor since kdawson.
Who's going to pay for my car insurance? In 20 years I've never had an accident, why should I need to have insurance?
BeauHD. Worst editor since kdawson.
"I'm not saying the other issues aren't real, but overhead is really unconvincing unless your network load balancer is a potato."
Username considered extremely relevant for this topic.
Please follow up at https://github.com/WhiteHouse/.... We are keen to understand these issues and find solutions. We also do know a thing or two about web hosting and HTTPS.
Are you intentionally ignoring everything that he said?
He serves huge datasets, and has no need for authentication? Given that, what is the problem with not using HTTPS? Heck, even regular FTP would be fine for that...
Au contraire - on government web sites where the content is public, the content should not be encrypted. That goes against all reason.
The only reason I see for this requirement is to make it easier to see who has accessed information where. With http and caching proxy servers it becomes a heck of a lot harder to trace users (which is also why Google hates http so much).
By all means, encrypt anything that is confidential or secret, but on public servers, nothing else.
Not similar. OP curates data that is supposed to be freely available, so hacking in to get data is irrelevant (although it's probably easier to use the provided interface). There's other things hackers can do, but I don't see how they're made more difficult by using HTTPS.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
So you don't think that gov has resources to still MITM your traffic by using HTTPS?
No, I don't think it matters if the gov MITMs my traffic to a .gov site.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I am actually sympathetic to the idea of an exemption for raw public data sets not for human consumption. Today the default is HTTP and you have to have a good reason to go HTTPS. The goal here is to flip the default and get people thinking in terms of HTTPS by default. There is always room for exceptions from the rule. A use case like this seems like a reasonable exception. But the risk here is that the purpose or scope of the site changes. Maybe next year they're hosting raw data sets about something more politically charged, and a researcher in a country whose government doesn't like that kind of research could find herself with unwanted attention simply for accessing that public raw data set. Alternatively, someone decides to tamper with that data set in flight. Or someone decides to dual-purpose the site for some reason and serve content to people, forgetting that it isn't an HTTPS site, in which case we're where we are today.
It is only a risk on websites that receive information. Static sites without forms, uploads, or sign ins, do not have any security benefit. And that is a LOT of government websites. I wonder which donor sells cirts?
Not true. Since the URL is part of the encrypted data, with https an eavesdropper can know I'm visiting the site but cannot determine what pages I view. What pages I view on a government website is nobody's business.