Slashdot Mirror
Whitehouse Mandates HTTPS For Government Sites and Services
Bismillah writes: As per orders from Tony Scott, the government CIO, all federal agencies with publicly accessible websites must provide service only through a secure HTTPS connection. "Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards," according to his memo. "This leaves Americans vulnerable to known threats, and may reduce their confidence in their government."
It's not like this is a new initiative, or that we didn't have dry runs a few years ago.
It's just a few recalcitrant holdouts being told: "Switch or Die".
-- Tigger warning: This post may contain tiggers! --
Why not require a .gov TLD as well?
Don't blame me, I voted for Kodos
Commanding the NSA to continue violating the Constitution and sucking up our data despite the Supreme Court's ruling that it is illegal. And this is the same gov't that wants to weaken encryption... yet they want to use it at the same time.
So, we'll keep locking people in rape cages for growing plants, pulling guns on unarmed teens and going through security theater in air ports with a 90% detection failure rate....But finally I can do https://whitehouse.gov/ to vote on a bogus petition with no effect. My confidence is restored thusly.
--- Liberty in our Lifetime
MIGHT?!? ROTFLMAO that has got to be the funniest thing I've ever heard! Perhaps it should say "and may further reduce their confidence in their government." Captain Hindsight must be giving the US advice.
Does this mean https has the required government backdoors?
... and may reduce their confidence in their government.
I think we all have plenty of confidence, just not the kind they are looking for...
Rather than take the time to understand their perimeter and data it exposes they want to "protect" everything with HTTPS. Which probably doesn't make sense for static, non interactive services.
This says a lot about their security program...
since no browser trusts the DoD CA, this is just stupid
Wait, I thought government as trying to fight encryption, not require it.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
they continue to illegally spy on us, and yet they're worried about confidence in the government.
Just add the .gov and .mil top-level domains to HSTS preload lists. That'll close the code injection vector on port 80 before the redirect to HTTPS takes place. It also acts as a fire under all government sites - implement TLS or else HSTS browsers won't be able to access your site any further.
So the US government, which just argued that commercial organizations should offer less cyber-privacy, is now worried that it doesn't offer enough cyber-privacy.
No?
Then they should probably leave it unencrypted. They wouldn't want to be TOO blatant with their hypocrisy.
So it's okay for them to have encryption but perhaps not us.
"This leaves Americans vulnerable to known threats, and may reduce their confidence in their government."
Flipping the HTTPS switch on web sites that I'd never even touch does nothing to protect me from any known threats. Nuking the domestic peeping-tom programs from orbit, that will. Do that, and maybe then we'll talk about my lack of confidence in my sorry excuse for a government.
Meanwhile, the US government is trying to add known threats to HTTPS communications.
I fully expect this to be implemented with as much competence as the healthcare.gov rollout.
Encryption is only used by criminals. Only criminals want to hide what they do... for example HSBC (i.e. Money Launderers).
MAKE UP YOUR FUCKING MINDS!
Obama: Gov't Shouldn't Be Hampered By Encrypted Communications
http://yro.slashdot.org/story/...
FBI's James Comey: the Man Who Wants To Outlaw Encryption
http://yro.slashdot.org/story/...
Meanwhile ./ got their HTTPS sliced and DICED away.
As I post this, it's plain text HTTP.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
White House = home and office of the president.
Whitehouse = senator from Rhode Island.
Since both are involved in federal government, the space kinda matters.
There's no contradiction. The government is only opposed to encryption that stops them monitoring people. For example, they really don't mind if facebook uses https, because they have several legal avenues* at their disposal to obtain private messages straight from Facebook. Encrypted government sites is no problem for the same reason. They would object to people using https to access sites hosted outside the US, or to end-to-end encryption software like Retroshare or OTR.
*Which run a wide spectrum of legitimacy, from the conventional directed warrant to super-secret 'give us everything and we were never here' national security letters.
Can they mandate that all of the services their departments offer for employees for work play nice with the latest version of Java within X number of days after a new Java release? Can they mandate that their training stuff not use Flash, Silverlight, or some other non-standard garbage that causes issues for non-Windows users? Dumping Oracle Forms for a bunch of their purchasing systems would be swell, too. Switching VPN providers three times in two years, as well as a revolving door of AV clients is also kind of a drag, as is having several pieces of tech ram-rodded down our throats in emergency fashion, but never used again...The digital signature pad comes to mind.
Cheers,
One very annoyed Federal "IT Specialist"
How interesting. How does my browser hide the initial certificate request, um, from the ISP and every other nosy hop? (obviously the prior DNS request is done using anonymous encrypted pigeons). Is there a show on Discovery Channel that could explain it in terms I could understand? Thanks.
Oh - one other thing... this will make DNSSEC redundant right - 'cause the HTTPS certificate will guarantee the site is not being spoofed(??). Brilliant stuff. I'll sleep better knowing the internets are safe at last/again.
MAKE UP YOUR FUCKING MINDS!
They have made up their minds if you read the links. The government is adamant they want everyone to use encryption and every encryption to have a back door. They are being quite consistent with their demands.
Next week, some Luddite will complain that HTTPS aids Al Qaida and Daesh.
A hostname/IP is not a URL. It is part of a URL, but there is more information in a URL and the entirety of the URL is not viewable as the original poster claimed.
Your browser and the server do certificate exchange before your browser requests the page on the server you're interested in.
In other words, while using https you can see via hostname/IP that I went to www.google.com however you can NOT see if I requested the main page at "/" or sent a query such as "/?q=goat+porn" or any other information after the protocol/hostname/port portion of the URL.
As to making DNSSEC redundant - perhaps if your internet experence consists of nothing but website browsing, although personally even then I wouldn't turn down the extra protection just in case of future attacks that lack of DNSSEC might enable.
But to look up an IP from a host for say email, or ssh, or something - nothing within the https protocol will provide additional protection against spoofing so we still have a need for DNSSEC.
HTTPS in the case of Superfish would help how exactly?
Let's hope they are a little more thorough than whoever was responsible for making sure Secretary Clinton only used the State Department email system for official communications.
Gamingmuseum.com: Give your 3D accelerator a rest.
it's kind of like 'cop cameras': they want the cops to have cameras (to provide evidence when it will support them; and refuse to show any video to the public), but they don't want Citizens to have cameras because Citizens will show the video to the public without any controls.
For what REAL reason is he emphasizing the use of HTTPS on Government sites? It doesn't make sense.
The primary effect of this message will not be to increase the security of Government sites, as they are probably well secure already. This is a public propaganda message with 50% certainty, way more probable than any benevolent act should be.
If you have never heard of INDOCTRINATION before, let me give you a short definition. Indoctrination is the intentional promotion of false beliefs by exploiting social propagation, needs, domestic opinions or other effective methods.
Breaking this down:
1. MESSAGE: "The strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS)."
This sentence is the main point of the memorandum. Let's take a closer look at what it says.
STRONG PROTECTION - PUBLIC WEB - PRIVACY INTEGRITY - HTTPS
None of these are related. HTTPS does not protect and is not "strong", it is simply a protocol for hypertext application-level communication, with support for different kinds of application-level certificate encryption. Neither does HTTPS help you with your privacy or your integrity except when using wireless hotspots etc and has no relevance to the security government sites.
2. BASIS: "The American people expect government websites to be secure and their interactions with those websites to be private."
There is a need for security. People want to feel safe. This can be abused.
3. REINFORCEMENT: "All browsing activity should be considered private and sensitive." is one of the few bolded sentences in the text
This message reassures you that everything is in order and that this is all meant to increase your safety.
Conclusion:
The text is written in such a way that the breakdown concludes the existence of a FALSE MESSAGE, an EXPLOITABLE BASIS and a REINFORCING CLARIFICATION. As this constitutes indoctrination, let's analyze the effects and the intent of the message.
The effects of this new policy to mandate HTTPS for government sites and services will lead to full-scale implementation of HTTPS of government sites and services by the end of 2016. When this is completed, HTTPS will be forced on all government sites for all visitors and security is thus emphasized.
Everyone knows government encryption is the most secure, they wouldn't use it otherwise. In the end, they've "protected" something that didn't need further security from the very start. Nobody would question this by the time HTTPS-only with HSTS is fully implemented. The very act of wide-scale implementation is further reinforcing the need for security, and the government thinks HTTPS is the Way.
So what are the likely real reasons for the intended effects of this act that we just discovered. I don't know but if I can speculate, the NSA has found and wants to exploit a weakness in HTTPS or any encryption/certificate-variant.
But it would be nearly impossible for them to do so secretly. Many people outside the NSA would know, people would talk. Which greatly annoys and complicates the NSA's work.
They've made up their minds. It's a different set of rules for you than it is for them.
Government spying and lawbreaking is GOOD.
Citizen spying and lawbreaking is BAD.
Stay tuned for updates!
It's going to take a hell of a lot more than HTTPS to restore my confidence in my government.