Slashdot Mirror

← Back to Stories (view on slashdot.org)

White House Proposal Urges All Federal Websites To Adopt HTTPS

Posted by Soulskill on from the moving-at-the-speed-of-government dept.

blottsie writes: In an effort to close security gaps that have resulted in multiple security breaches of government servers, the Obama administration on Tuesday introduced a proposal to require all publicly accessible federal websites to use the HTTPS encryption standard. "The majority of federal websites use HTTP as the as primary protocol to communicate over the public Internet," reads the proposal on the website of the U.S. Chief Information Officer. "Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services."

27 of 155 comments (clear)

  1. Breaking news: Republicans against HTTPS by Pope+Hagbard · · Score: 3, Funny

    In the wake of the Obama Administration encouraging use of HTTPS, Ted Cruz was reported as saying that encryption was a government conspiracy to deprive godfearing Americans of their privacy.

  2. Interdasting... by grimmjeeper · · Score: 3, Insightful

    It's not a bad idea to run HTTPS. It makes it inconvenient to hack connections and makes people work for it. But I found this quote to be amazingly ironic: "Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services."

    1. Re:Interdasting... by techno-vampire · · Score: 4, Insightful

      Using https to transmit sensitive information is the same as remembering to lock your car. It's not perfect and it won't stop a determined attack, but it's enough to prevent casual intrusions. And, of course, if somebody does break the encryption there's no way they can claim that they didn't know that the transmission was private.

      --
      Good, inexpensive web hosting
    2. Re:Interdasting... by SuricouRaven · · Score: 2

      HTTPS doesn't make MITM attacks impossible, but it does make them much, much harder.

    3. Re:Interdasting... by blueg3 · · Score: 2

      I'm okay with reducing the man-in-the-middle attack surface to such a small group.

    4. Re:Interdasting... by mcl630 · · Score: 2

      While those things are possible, they are far from easy. Your garden variety script kiddie can't do that. Even far more skilled types would have to find a way to get malware onto your machine first, and have it go unnoticed. Realisticly, only governments can pull off these attacks. While that means https isn't perfect, it's far better to be vulnerable to a few than vulnerable to everyone.

  3. Not just for government. by kuzb · · Score: 4, Insightful

    There's virtually no excuse to be running a website without SSL. It doesn't matter what kind of site you run. It should really be law that all sites on the internet move to SSL.

    --
    BeauHD. Worst editor since kdawson.
    1. Re:Not just for government. by Anonymous Coward · · Score: 2, Interesting

      The concept of only some information being private is broken.

    2. Re:Not just for government. by Just+Some+Guy · · Score: 2

      Fortunately, more informed parties disagree with you:

      HTTP/2 doesn't require you to use TLS (the standard form of SSL, the Web's encryption layer), but its higher performance makes using encryption easier, since it reduces the impact on how fast your site seems.

      In fact, many people believe that the only safe way to deploy the new protocol on the "open" Internet is to use encryption; Firefox and Chrome have said that they'll only support HTTP/2 using TLS.

      They have two reasons for this. One is that deploying a new version of HTTP across the Internet is hard, because a lot of "middleboxes" like proxies and firewalls assume that HTTP/1 won't ever change, and they can introduce interoperability and even security problems if they try to interpret a HTTP/2 connection.

      The other is that the Web is an increasingly dangerous place, and using more encryption is one way to mitigate a number of threats. By using HTTP/2 as a carrot for sites to use TLS, they're hoping that the overall security of the Web will improve.

      So stick with plaintext HTTP/1.0 as long as you want, but the rest of us are moving to secure-by-default.

      --
      Dewey, what part of this looks like authorities should be involved?
    3. Re:Not just for government. by TheGratefulNet · · Score: 2

      I spent MANY posts trying to convince one of the big electronics (diy style) forums to convert over to https and the admins there either dont get it or simply don't care. its very sad ;(

      eevblog - we're WAITING for you to join the rest of the modern world by turning on https. many of us ask for it but you don't seem to care. I hope you care sooner rather than later.

      --

      --
      "It is now safe to switch off your computer."
    4. Re:Not just for government. by TheGratefulNet · · Score: 2

      plus, once you run https, bad fuckers like comcast and verizon won't be able to INSERT ADS into your web stream!

      so, its not just about privacy. its also wanting to know that no data is modified en-route and that what you see IS what you got, and not some ISP modified stream that they THINK you wanted, instead.

      if you don't want the privacy argument, at least you (in general) should agree that https keeps your data stream from being modified on-the-fly by isps!

      --

      --
      "It is now safe to switch off your computer."
    5. Re:Not just for government. by WuphonsReach · · Score: 2

      Multiple certificates (SNI) over a single SSL IP address/port is a mostly solved issue. The only outliers are:

      WinXP users still using Internet Explorer (Firefox/Chrome are workarounds), but WinXP is out of support for a year now -- so maybe you should stop pandering to them.

      Older versions of Android and iOS - we're talking really old versions (Android 2.x, iOS 3).

      Older versions of Windows IIS before 8.x - but Win2003 servers go out of support this coming year, so you should be migrating off.

      Two to three years ago, SNI was not well supported and not worth enabling, but things have changed enough that you should forge ahead.

      --
      Wolde you bothe eate your cake, and have your cake?
  4. Re:Rules for some, or everyone? by Lunix+Nutcase · · Score: 3, Informative

    I don't know. She should probably check the configurations of Jeb Bush's and Rick Perry's private email servers before making a decision.

  5. Re:Only on some... by blueg3 · · Score: 3, Insightful

    Only if you're okay with a network-privileged attacker (someone on the wire--what HTTPS is designed to defend against) from:
    * Recording what pages you're visiting
    * Undetectably modifying the information presented on those pages
    * Injecting their own advertising, browser-level tracking mechanism, or malware

    There's a solid business case for HTTPS-encrypting static pages with minimal privacy risks, just because of the threat of having unauthorized parties (i.e., ISPs) inject their own advertising.

  6. Re:I call bullshit ... by blueg3 · · Score: 2

    It stops third parties from reading or modifying (including replacing entirely) the data in transit between the server and client. (For a certain value of "stops".)

  7. According To The News by Greyfox · · Score: 4, Funny

    Statistically the man in the middle is most likely to be The Man. If you're talking to The Man, he doesn't even need to be in the middle, but he probably will be anyway. If you're a government employee using one of those, you'll be The Man, talking to The Man while being spied on by The Man! Delicious!

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  8. Re:Oh the irony! by MAXOMENOS · · Score: 2

    -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP v. NSA-1 mQINBFPOzTUBEADT1kIEMY1Ix+9DyNfGHE9HPjLSI/Ybnsn/bbx8cWmeAktoYjBS q29mJ0tchjyG8KP38vlkvfNYKn80985a/p7ZKupxOm1dDyAn5TZguDG2fEgCYxcB FxfMjGKLEFOS6hlPVh/3bm7xEvRuB5P/5Wdch9/UK11qLE3hlDlhnT1zq82Sk4G8 OWnH8BLA8XuRAdwAdri7U2OmNPqCld EZ CRACK Qk7tYi0Rwc55c65U4gGSuY qw3QzQ6X4TecFO/jUPBnnVb5YcYKxVw75PYF6NnKbbsnDYJoNg8bpEP2SVC0FWNK 2rKYsGsbcco2/ruJuQsThVcuH3l07cAKaSzt+eb5+FWWzsojbSeXwD8yZocfPvEL eaa0 NO SERIOUSLY EASY TO CRACK bD9PDX3C5gyPj78mzDlhytLTCsdtL1Uqgm DTbIqgDPQBEnGr9Ny2XlIQ6AjuyuahBDl+ElmLnz0jI9bjt0vgAUGjmCCp71aioo MXZALwVBsdQH3w2BHQ8wU9sYtMlBPBMZz++oIQthmJ+Gb6myvMZCQ34M9TfpIv5i utAK2xBP/XfBl5BMYl6xNUHOxGhtBj/Pbzcwu/+Sk3mKkC4E2+aUKEjyzs6rDdDs pT+2B4A1nNXLU1PA+AfabdLnlvm7lMgzr30Waejcz4FbSdwCX8oN9UabBQARAQAB tCVBbGFuIEVsaWFzZW4gPGVsaWFzZW5AbWluZHNwcmluZy5jb20+iQJBB pIPGkZxLOFm59msUf9mBqw7rJEs/EqhQ2w== =7DhM -----END PGP PUBLIC KEY BLOCK-----

    --
    Finding God in a Dog
  9. Government CIO using GitHub? by Nkwe · · Score: 3, Interesting

    Interestingly the "edit this page" link on the CIO page (linked in the article) takes you to GitHub. Is our government actually taking advantage of existing services instead of wasting all kinds of money developing their own content management system? Maybe there is hope.

  10. Re:Only on some... by TechyImmigrant · · Score: 3, Informative

    Second, what's you're requirement for not having the security benefit? Given that certs are about $10 a year and require negligible resources, what is your compelling reason for not having encryption by default?

    Don't the government have their own CA? The cost to cut a cert should be less than $0.04. I know this because I've set up a real CA and $0.04 per cert included the costs of the operations along with the profit. The actual computing cost is negligible. The costs are the premises and pay for employees, spread out across all the certs they cut.

     

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  11. Re:I call bullshit ... by TheGratefulNet · · Score: 2

    you are 1000% wrong.

    here's why: corporate america and windows or mac pre-installs by corp IT.

    yes, they install their own fake certs. did you know that?

    and did you know that when you get a lock icon on your browser, that you are authenticating with the firewall at your company and NOT the end IP ??

    companies have been doing this for about 10 yrs. I interviewed at a company (yes, bluecoat..) a long time ago and they told me straight out that their software does (did) that and that they were proud of how they could pull the wool over corp citizens' eyes! ;( (no I did not take that job. it depressed me to think they took glee in such things).

    almost every networking company is into data interception (calea or whatever). but you have to be more careful about what you do with corp built laptops! that's the #1 offender.

    forget the gov. there's much corp america whores who will do whatever their big bosses say, and if that means preinstalling fake certs, they'll do it. anyone who says no loses their job.

    welcome to america. your right to privacy is zero while at work, and we're all working to make sure it stays zero, even when you leave work. sigh ;( ;( ;(

    --

    --
    "It is now safe to switch off your computer."
  12. Re:Rules for some, or everyone? by AK+Marc · · Score: 2

    What about Yahoo, isn't that what Palin used as governor? http://en.wikipedia.org/wiki/S...

    --
    Learn to love Alaska
  13. That's pretty messed up by msobkow · · Score: 2

    That's pretty messed up when the government itself is concerned about government spying...

    --
    I do not fail; I succeed at finding out what does not work.
  14. Re:Only on some... by i.r.id10t · · Score: 3, Insightful

    Heck the govn't has its own TLD and doesn't even use it for all of their hostnames...

    Quick - where is the "official" place to get your free annual credit report? Is it freeannualreport.com or freeannualcreditreport.com or what? Wouldn't it be nice if it were creditreport.ftc.gov ? I (and most other slashdot users who get a little paranoid about this type of thing) simply go to the FTC site and follow the link from there, but having it on a .gov domain would let me know for sure some squatter didn't get ahold of it...

    --
    Don't blame me, I voted for Kodos
  15. They will all use SSL3 with RC4 by schwit1 · · Score: 3, Funny

    And the websites will require internet explorer.

  16. Re:I call bullshit ... by drinkypoo · · Score: 2

    The question isn't whether you're paranoid, it's whether you're paranoid enough. Why would you be doing your personal stuff at work if you cared about privacy?

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  17. Re:Home email servers? by blueg3 · · Score: 2

    How is it not a real cert? Qualys indicates the cert on the HTTPS site is issued by GoDaddy.

  18. No excuse? BS. by oneiros27 · · Score: 2

    I operate government websites that serve physics data to the public.

    HTTPS would require additional CPU for the SSL processing and bandwidth because it would make requests non-cacheable.

    Not to mention that it would make the intrusion detection system attached to the router completely useless, so we'd lose a layer of security and it would make it more difficult to detect probing across the network and other 'slow' attacks. It would also prevent us from doing auditing after an exploit is known but before we've been able to get the mod_security rules in place or whatever other mitigation.

    So yes, there are perfectly valid reasons to *not* be running HTTPs. I know you couched your message with 'virtually', but blindly appying 'best practices' or whatever other recommendations without understanding what the implications will break systems. (and I have to file paperwork every year for every one of my web servers that doesn't comply with the CIS benchmarks)

    ps. 'there should be a law for that' is the absolutely worse policy, as most people in legislature aren't tech-savy, and will just screw things up. I was actually against all of the Net Neutrality bills that were proposed because they'd have outlawed agressive spam filtering (blocking 'legal' communications, and the CAN-SPAM act defined that some spam is legal). You need flexibility and speed in dealing with most issues, and laws don't do either well.

    --
    Build it, and they will come^Hplain.