Slashdot Mirror

← Back to Stories (view on slashdot.org)

Whitehouse Mandates HTTPS For Government Sites and Services

Posted by samzenpus on from the keeping-it-secure dept.

Bismillah writes: As per orders from Tony Scott, the government CIO, all federal agencies with publicly accessible websites must provide service only through a secure HTTPS connection. "Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards," according to his memo. "This leaves Americans vulnerable to known threats, and may reduce their confidence in their government."

71 of 111 comments (clear)

  1. Many are already using HTTPS and IPv6 by WillAffleckUW · · Score: 5, Informative

    It's not like this is a new initiative, or that we didn't have dry runs a few years ago.

    It's just a few recalcitrant holdouts being told: "Switch or Die".

    --
    -- Tigger warning: This post may contain tiggers! --
    1. Re:Many are already using HTTPS and IPv6 by Anonymous Coward · · Score: 1

      Yeah but now they are pushing to make encryption illegal--except when they do it, apparently.

    2. Re:Many are already using HTTPS and IPv6 by WillAffleckUW · · Score: 1

      Yeah but now they are pushing to make encryption illegal--except when they do it, apparently.

      The directive is for federal agencies.

      You can do whatever you want, so long as you're not contracting to the feds.

      --
      -- Tigger warning: This post may contain tiggers! --
    3. Re:Many are already using HTTPS and IPv6 by Zaelath · · Score: 1, Insightful

      OK, but explain to me why https://www.nasa.gov/ needs SSL/TLS at all, including the ongoing costs to maintain certificates and infrastructure, when it's a purely informational site?

      It's like insisting that posters of cars should be retrofitted with air-bags and collision detection.

    4. Re:Many are already using HTTPS and IPv6 by Anonymous Coward · · Score: 1

      1. to prevent MITM modifications, even if that is just your asshole ISP inserting "ads" into websites

      2. there is very little costs for certificates

      3. it has nothing to do with "retrofitting".

      Remember when they mandated DNSSEC? Did US government collapse? No? There you go.

    5. Re:Many are already using HTTPS and IPv6 by jellomizer · · Score: 1

      If HTTPS is so insecure, I would expect a lot more stories about a lot of our banking, medical and other forms of commerce being hacked via the https protocol. So far other then the SSL bug, the hacking was done mainly with insecure devices, easy passwords or inside jobs.

      Perhaps you are talking about other areas in https communication such as the insecure call to a site, or how the browser stores the info. Or the lack of verification of official certificate authorities

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    6. Re:Many are already using HTTPS and IPv6 by Anonymous Coward · · Score: 2, Interesting

      Yes, I was referring to the way CAs work. The current trust model makes TLS/SSL connections susceptible to government sponsored MITM attacks. They can do it either by mandating the CAs to hand out their PKs or by hacking them without consequences like we've seen before. There is a single-point of failure in TLS/SSL authentication and that point has failed long ago.

    7. Re:Many are already using HTTPS and IPv6 by DeansOffice · · Score: 1

      I highly doubt they will as this is something the government SHOULD be doing and it's the Executive branch directing federal government agencies (that fall in the executive branch) to perform this action. It would be different if they issued an order forcing the state governments or private organizations to use HTTPS.

    8. Re: Many are already using HTTPS and IPv6 by ZeroWaiteState · · Score: 1

      I wish I could upvote an Anonymous Coward

  2. Require .gov TLD ? by i.r.id10t · · Score: 1

    Why not require a .gov TLD as well?

    --
    Don't blame me, I voted for Kodos
    1. Re:Require .gov TLD ? by WillAffleckUW · · Score: 1

      Because it also includes .mil

      --
      -- Tigger warning: This post may contain tiggers! --
    2. Re:Require .gov TLD ? by x0ra · · Score: 1

      and .edu, I'd guess.

    3. Re:Require .gov TLD ? by ShanghaiBill · · Score: 4, Informative

      and .edu, I'd guess.

      Those are almost all state, local, or private. But there are a few run by the feds, such as www.usma.edu and www.usna.edu, which default to vanilla http.

    4. Re:Require .gov TLD ? by WillAffleckUW · · Score: 2

      A big question for .edu is do research universities that get large amounts of funding have to go https as well.

      We know that this will apply to public-facing websites, so technically that would apply to a medical research hospital as part of a university (quite a few of those), but will it include small labs using fed grants as well? Presumably if external facing.

      A lot of such websites, like a crystallography beam website, are internal only, so they don't count, but it's not that big a deal. However, most of the certificates for those belong to the institutions themselves, and not the usual public grantors.

      --
      -- Tigger warning: This post may contain tiggers! --
    5. Re:Require .gov TLD ? by Obfuscant · · Score: 2

      A big question for .edu is do research universities that get large amounts of funding have to go https as well.

      Not because of this directive. Federal grants do not a federal agency create.

      We know that this will apply to public-facing websites, so technically that would apply to a medical research hospital as part of a university

      Public-facing federal websites. If you are a federally operated University, yes. Otherwise, no. USNA, USAFA, West Point, yes. UW, no.

    6. Re:Require .gov TLD ? by WillAffleckUW · · Score: 1

      A lot of UW stuff runs out of the VA facilities. However, the components of that are frequently cohosted.

      (caveat - we already do https and IPv6 so it's not a problem, but might be for others like John Hopkins)

      --
      -- Tigger warning: This post may contain tiggers! --
    7. Re:Require .gov TLD ? by Obfuscant · · Score: 1

      A lot of UW stuff runs out of the VA facilities.

      That doesn't make UW a federal agency. UW websites aren't publicly-facing federal websites because of it.

      but might be for others like John Hopkins

      You mean this Johns Hopkins? The private research university? Why do you think they are a federal agency?

    8. Re:Require .gov TLD ? by Noah+Haders · · Score: 1

      (caveat - we already do https and IPv6 so it's not a problem, but might be for others like John Hopkins)

      I don't know who John Hopkins is. Does he work at Johns Hopkins?

    9. Re:Require .gov TLD ? by Obfuscant · · Score: 1

      There's more than one "UW".

      Does it matter? From the context, it's pretty clear that "U" stands for "university" somewhere in the US. Do you know of a "University of anything that starts with W" in the US that would become a federal agency just by accepting federal research grant money? I don't. That's the point.

      nobody knows what you mean unless you're from the same state as you.

      I always come from the same state as me. And people in other states can pretty much figure out it doesn't matter which UW we're talking about.

  3. Oh the irony by Anonymous Coward · · Score: 5, Insightful

    Commanding the NSA to continue violating the Constitution and sucking up our data despite the Supreme Court's ruling that it is illegal. And this is the same gov't that wants to weaken encryption... yet they want to use it at the same time.

    1. Re:Oh the irony by aXis100 · · Score: 1

      Exactly! And in this case, the NSA can probably get their hands on the server certificate / signing keys quite easily.

      Not exactly a trustworthy organisation when they actively treat the entire world - including their own citizens - with suspicion.

    2. Re:Oh the irony by sumdumass · · Score: 1

      What supreme court ruling? I missed it i guess. All i know about is a second circuit ruling.

    3. Re:Oh the irony by vux984 · · Score: 4, Funny

      Jebus Christ. Seriously?

      HTTPS on government sites isn't to protect you snooping from the NSA. Its to protect you from the neighbors kids, and random hackers around the world.

      Not everything is about the NSA all the time. This is a good thing; even if if doesn't shut down the NSA.

    4. Re:Oh the irony by Anonymous Coward · · Score: 1

      Oh... you mean like thinking HTTPS stops anyone from seeing the URL you just visited so they can view it for themselves?..... yeah, some people just don't get that.

    5. Re:Oh the irony by Guy+Harris · · Score: 2

      Not everything is about the NSA all the time.

      Yes, sometimes it's about 3D printing instead.

    6. Re:Oh the irony by Qzukk · · Score: 3, Informative

      you mean like thinking HTTPS stops anyone from seeing the URL you just visited so they can view it for themselves?

      ... it does, unless you've got some spyware installed phoning home every URL you visit. Or chrome, but I repeat myself.

      Thanks to SNI and IPv4 forcing everyone to host multiple sites on one address (but I repeat myself) SSL does now leak the hostname you are attempting to request during the handshake so the server can select a certificate.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    7. Re:Oh the irony by vilanye · · Score: 1

      Yeah, what is worse is that some people actually think that a signed SSL certificate is a certification of the safety of website.

      Every once in a while I read about some idiot that thought the website was safe because it had a signed SSL cert and gets all bent out of shape because the https site infected his computer and the CA should have not issued the certificate before testing out the website for him.

    8. Re:Oh the irony by Albanach · · Score: 1

      Oh... you mean like thinking HTTPS stops anyone from seeing the URL you just visited so they can view it for themselves?..... yeah, some people just don't get that.

      Well, https won't protect you from others identifying which site you visited, but the entirety of your GET request is encrypted and that's important. It means if which actual pages you view is protected from snooping unless, say, you're on a work computer and your employer is using some nefarious https proxy that issues certificates to your browser.

      So your employer might know you were looking at a local news site, but cannot see that you were reading the situations vacant pages. Or they can tell you were at the Mayo Clinic site, but not that you were reading pages about STDs.

      You can typically spot such proxies pretty easily though - visit Google and see if their certificate was signed by Google.com or by some other entity. If it wasn't signed by Google, you have reason to be concerned. If you're really suspicious you can check fingerprints too, but for some sites these may change and you may be better picking a small server that likely has a single certificate to check the fingerprint against.
       

    9. Re:Oh the irony by viperidaenz · · Score: 2

      OMG, the government might snoop on which government websites you visit by orchestrating a MITM attack!

      Or.... they could simply look at their own server logs?

    10. Re:Oh the irony by rtb61 · · Score: 1

      In this case, they know exactly what they are up to in other countries hence they understand the need to implement https at home. Finnaly some stuff from the hugely offensive side of the NSA is trickling down to the defensive poor second cousin side of the NSA.

      --
      Chaos - everything, everywhere, everywhen
    11. Re:Oh the irony by cavreader · · Score: 1

      The NSA will never be shutdown. The only possible scenario that has the NSA being shutdown is the simultaneous shutdown of every foreign intelligence agency in the world. Scream and stamp your feet if you have to but the NSA is not going away. The spotlight on the NSA over the past couple of years has only resulted in them taking steps to further compartmentalize their operations and beefing up the level of scrutiny they put into their employees when granting security clearances.

    12. Re:Oh the irony by wesley.d.wolfe · · Score: 1

      Thanks to SNI and IPv4 forcing everyone to host multiple sites on one address (but I repeat myself) SSL does now leak the hostname you are attempting to request during the handshake so the server can select a certificate.

      The hostname is leaked in the server response (it has to respond with the public certificate); the encryption doesn't start until after the server has disclosed who it is. Your frustration seems misplaced. Even if it was encrypted, a second connection can fish the certificate themselves.

    13. Re:Oh the irony by dbraden · · Score: 1

      The host name is provided by the client during the TLS negotiation. If the server were to go first, so-to-speak, it might have to send hundreds or more host names if it's hosting a lot of sites, and that would be slow and an ugly information leak (to be able to hit one IP address and discover all of the sites behind it).

    14. Re:Oh the irony by wesley.d.wolfe · · Score: 1

      The client doesn't provide the hostname without SNI (yes, I realize almost every client follows RFC 3546 anyway), nor is it compelled to for the exception of the IPv4 servers that require it. However, the server always ends up sending back an unencrypted public certificate, with or without SNI, and that certificate will include the hostname.

      I phrased my other post poorly, and should have pointed out the exact issue I was referring to; you can't hide hostnames just by ditching SNI.

    15. Re:Oh the irony by SuricouRaven · · Score: 1

      It's also to protect you from snooping by the KGB. And the Chinese, and North Korea, and all the countries in Europe that insist they don't spy on their allies but almost certainly do.

      Everybody spies. Governments, businesses, individuals, loosely-affiliated hacktivist organisations and criminal gangs. They all want that precious information.

    16. Re:Oh the irony by Bert64 · · Score: 1

      And how exactly would it do that?
      There are CAs in most of the countries where such agencies are based, as well as plenty of others that could potentially have been compromised... Your browser will trust any one of hundreds when connecting to an SSL site.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    17. Re:Oh the irony by Demonoid-Penguin · · Score: 1

      It's also to protect you from snooping by the KGB.

      Great stuff! So it secures my ISP as well? Will it wax my car too?

      Yeah - I know, it only secures content after the connection. But seriously - given the level of government stupid when it comes to data security, and the number of CA compromises it seems like lipstick on a pig.

      Still - like a crash helmet instead of a parachute when you jump from a plane, it's better than nothing. (or is that "less worse"?)

    18. Re:Oh the irony by skovnymfe · · Score: 1

      You do realize NSA can just query all the government websites' databases and logs for whatever you look at and post to these secure websites right? HTTPS doesn't prevent NSA from looking at your activies on a government website. Please don't be retarded.

    19. Re:Oh the irony by SuricouRaven · · Score: 1

      That works for targeted monitoring with MITM attacks. Try that on a population scale, and it will be easy to detect. Injecting MITM attacks is also more expensive and riskier than passive monitoring - it can be detected.

    20. Re: Oh the irony by ZeroWaiteState · · Score: 1

      Too late, they destroyed the backup tapes.

    21. Re: Oh the irony by ZeroWaiteState · · Score: 1

      There hasn't been a defensive side of the NSA since the 1990's.

    22. Re:Oh the irony by q4Fry · · Score: 1

      The precious information on public .gov websites?

  4. Confidence in their government by Ada_Rules · · Score: 4, Insightful

    So, we'll keep locking people in rape cages for growing plants, pulling guns on unarmed teens and going through security theater in air ports with a 90% detection failure rate....But finally I can do https://whitehouse.gov/ to vote on a bogus petition with no effect. My confidence is restored thusly.

    --
    --- Liberty in our Lifetime
    1. Re:Confidence in their government by lucm · · Score: 1

      rape cages for growing plants

      Greenpeace should get involved!

      --
      lucm, indeed.
    2. Re: Confidence in their government by ZeroWaiteState · · Score: 1

      We regret any inconvenience.

  5. confidence? by MobSwatter · · Score: 1

    ... and may reduce their confidence in their government.

    I think we all have plenty of confidence, just not the kind they are looking for...

  6. This makes me worry. by Anonymous Coward · · Score: 1

    Rather than take the time to understand their perimeter and data it exposes they want to "protect" everything with HTTPS. Which probably doesn't make sense for static, non interactive services.

    This says a lot about their security program...

    1. Re:This makes me worry. by bobbied · · Score: 1

      Rather than take the time to understand their perimeter and data it exposes they want to "protect" everything with HTTPS. Which probably doesn't make sense for static, non interactive services.

      This says a lot about their security program...

      And the people who are deciding what to do next in said program...

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    2. Re:This makes me worry. by BlueStrat · · Score: 1

      This says a lot about their security program...

      And the people who are deciding what to do next in said program..

      Those people are Jackson, Grant, and Franklin.

      I've heard they speak quite loudly.

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    3. Re:This makes me worry. by heypete · · Score: 2

      Rather than take the time to understand their perimeter and data it exposes they want to "protect" everything with HTTPS. Which probably doesn't make sense for static, non interactive services.

      Perhaps, but it also helps protect against content injection or manipulation (e.g. ad injection by shady ISPs), snooping by third parties (e.g. hotel or coffee-shop networks), etc.

      Honestly, there's very little reason *not* to encrypt data these days.

  7. But encryption by penguinoid · · Score: 4, Funny

    Wait, I thought government as trying to fight encryption, not require it.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    1. Re:But encryption by viperidaenz · · Score: 4, Insightful

      No, they're trying to compromise encryption, not fight it.

    2. Re:But encryption by Checkered+Daemon · · Score: 1

      No problem for the gov - they'll just record every transaction on their web sites AFTER the SSL decryption. And then tell the sheeple that they're working to preserve our privacy. Hipocrites.

  8. Re:Born to fail by chill · · Score: 2

    Most .gov sites buy certs from normal CAs, like Thawte and Verisign.

    And the requirement isn't for just HTTPS-only, but for also implementing Strict Transport Security and suggesting using Perfect Forward Secrecy.

    --
    Learning HOW to think is more important than learning WHAT to think.
  9. HSTS for all government sites by toejam13 · · Score: 2

    Just add the .gov and .mil top-level domains to HSTS preload lists. That'll close the code injection vector on port 80 before the redirect to HTTPS takes place. It also acts as a fire under all government sites - implement TLS or else HSTS browsers won't be able to access your site any further.

    1. Re:HSTS for all government sites by Irate+Engineer · · Score: 2

      Oh God! HTTPS! I'm fucking invisible now! Thank you Slashdot! (SIGNAL LOST)....

      --

      Left MS Windows for Linux Mint and never looked back!

      Vote for Bernie in 2016!

    2. Re:HSTS for all government sites by cbhacking · · Score: 1

      That's not how HSTS preload works. Or rather, it is, but you're missing a vital step. The preload list won't accept sites that don't specify the "preload" flag in their Strict-Transport-Security header. It ought to go without saying that they won't accept sites which don't serve HTTPS at all...

      The max-age and includeSubDomains directives are relevant to browsers. The preload directive is relevant to HSTS preload list maintainers (or rather, to their servers). I guess the government could try coercing the preload list maintainers into including the relevant .gov sites even if they don't meet the requirements for inclusion in the list, but I'm pretty sure that won't happen.

      --
      There's no place I could be, since I've found Serenity...
    3. Re:HSTS for all government sites by Konklone · · Score: 1

      Getting the .gov and .mil TLDs into the HSTS preload list would be amazing. I helped get ~20 .gov second-level domains into the HSTS preload list in February, and mentioned getting .gov into the preload list at the end:

      https://18f.gsa.gov/2015/02/09...

      The .gov TLD is a challenge, though, as it is used by state and local governments and other public services, like libraries, utility companies, etc. There are over 5,300 in total, and only ~1,350 of them are federal government.

      https://18f.gsa.gov/2014/12/18...

  10. Are they including a backdoor for US citizens? by He+Who+Has+No+Name · · Score: 1

    No?

    Then they should probably leave it unencrypted. They wouldn't want to be TOO blatant with their hypocrisy.

  11. Re:surprising by fustakrakich · · Score: 1

    With every hacked CA, they are already in place

    --
    “He’s not deformed, he’s just drunk!”
  12. Re:Oh, now they're concerned? by bobbied · · Score: 1

    Please, let's not nuke anything in or from orbit... Further, let's not nuke anything if we can help it..

    It's far to messy and has some pretty bad side effects....

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  13. Meanwhile... by viperidaenz · · Score: 1

    Meanwhile, the US government is trying to add known threats to HTTPS communications.

  14. FBI wants to kill HTTPS but WH wants it or NOT?! by denis-The-menace · · Score: 2

    MAKE UP YOUR FUCKING MINDS!

    Obama: Gov't Shouldn't Be Hampered By Encrypted Communications
    http://yro.slashdot.org/story/...

    FBI's James Comey: the Man Who Wants To Outlaw Encryption
    http://yro.slashdot.org/story/...

    Meanwhile ./ got their HTTPS sliced and DICED away.
    As I post this, it's plain text HTTP.

    --
    Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
  15. White House not Whitehouse by goodmanj · · Score: 1

    White House = home and office of the president.
    Whitehouse = senator from Rhode Island.

    Since both are involved in federal government, the space kinda matters.

    1. Re:White House not Whitehouse by SuricouRaven · · Score: 1

      It's also the name of a pornography studio.

  16. Re:FBI wants to kill HTTPS but WH wants it or NOT? by SuricouRaven · · Score: 1

    There's no contradiction. The government is only opposed to encryption that stops them monitoring people. For example, they really don't mind if facebook uses https, because they have several legal avenues* at their disposal to obtain private messages straight from Facebook. Encrypted government sites is no problem for the same reason. They would object to people using https to access sites hosted outside the US, or to end-to-end encryption software like Retroshare or OTR.

    *Which run a wide spectrum of legitimacy, from the conventional directed warrant to super-secret 'give us everything and we were never here' national security letters.

  17. While they're at it... by HEMI426 · · Score: 2

    Can they mandate that all of the services their departments offer for employees for work play nice with the latest version of Java within X number of days after a new Java release? Can they mandate that their training stuff not use Flash, Silverlight, or some other non-standard garbage that causes issues for non-Windows users? Dumping Oracle Forms for a bunch of their purchasing systems would be swell, too. Switching VPN providers three times in two years, as well as a revolving door of AV clients is also kind of a drag, as is having several pieces of tech ram-rodded down our throats in emergency fashion, but never used again...The digital signature pad comes to mind.

    Cheers,

    One very annoyed Federal "IT Specialist"

  18. Re:Oh the irony (and the starchy) by Demonoid-Penguin · · Score: 1

    you mean like thinking HTTPS stops anyone from seeing the URL you just visited so they can view it for themselves?

    ... it does,

    How interesting. How does my browser hide the initial certificate request, um, from the ISP and every other nosy hop? (obviously the prior DNS request is done using anonymous encrypted pigeons). Is there a show on Discovery Channel that could explain it in terms I could understand? Thanks.

    Oh - one other thing... this will make DNSSEC redundant right - 'cause the HTTPS certificate will guarantee the site is not being spoofed(??). Brilliant stuff. I'll sleep better knowing the internets are safe at last/again.

  19. Re:FBI wants to kill HTTPS but WH wants it or NOT? by thegarbz · · Score: 1

    MAKE UP YOUR FUCKING MINDS!

    They have made up their minds if you read the links. The government is adamant they want everyone to use encryption and every encryption to have a back door. They are being quite consistent with their demands.

  20. Re:Oh the irony (and the starchy) by dissy · · Score: 1

    A hostname/IP is not a URL. It is part of a URL, but there is more information in a URL and the entirety of the URL is not viewable as the original poster claimed.

    Your browser and the server do certificate exchange before your browser requests the page on the server you're interested in.

    In other words, while using https you can see via hostname/IP that I went to www.google.com however you can NOT see if I requested the main page at "/" or sent a query such as "/?q=goat+porn" or any other information after the protocol/hostname/port portion of the URL.

    As to making DNSSEC redundant - perhaps if your internet experence consists of nothing but website browsing, although personally even then I wouldn't turn down the extra protection just in case of future attacks that lack of DNSSEC might enable.

    But to look up an IP from a host for say email, or ssh, or something - nothing within the https protocol will provide additional protection against spoofing so we still have a need for DNSSEC.

  21. We'll see by operagost · · Score: 1

    Let's hope they are a little more thorough than whoever was responsible for making sure Secretary Clinton only used the State Department email system for official communications.

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.