Slashdot Mirror

← Back to Stories (view on slashdot.org)

Whitehouse Mandates HTTPS For Government Sites and Services

Posted by samzenpus on from the keeping-it-secure dept.

Bismillah writes: As per orders from Tony Scott, the government CIO, all federal agencies with publicly accessible websites must provide service only through a secure HTTPS connection. "Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards," according to his memo. "This leaves Americans vulnerable to known threats, and may reduce their confidence in their government."

19 of 111 comments (clear)

  1. Many are already using HTTPS and IPv6 by WillAffleckUW · · Score: 5, Informative

    It's not like this is a new initiative, or that we didn't have dry runs a few years ago.

    It's just a few recalcitrant holdouts being told: "Switch or Die".

    --
    -- Tigger warning: This post may contain tiggers! --
    1. Re:Many are already using HTTPS and IPv6 by Anonymous Coward · · Score: 2, Interesting

      Yes, I was referring to the way CAs work. The current trust model makes TLS/SSL connections susceptible to government sponsored MITM attacks. They can do it either by mandating the CAs to hand out their PKs or by hacking them without consequences like we've seen before. There is a single-point of failure in TLS/SSL authentication and that point has failed long ago.

  2. Oh the irony by Anonymous Coward · · Score: 5, Insightful

    Commanding the NSA to continue violating the Constitution and sucking up our data despite the Supreme Court's ruling that it is illegal. And this is the same gov't that wants to weaken encryption... yet they want to use it at the same time.

    1. Re:Oh the irony by vux984 · · Score: 4, Funny

      Jebus Christ. Seriously?

      HTTPS on government sites isn't to protect you snooping from the NSA. Its to protect you from the neighbors kids, and random hackers around the world.

      Not everything is about the NSA all the time. This is a good thing; even if if doesn't shut down the NSA.

    2. Re:Oh the irony by Guy+Harris · · Score: 2

      Not everything is about the NSA all the time.

      Yes, sometimes it's about 3D printing instead.

    3. Re:Oh the irony by Qzukk · · Score: 3, Informative

      you mean like thinking HTTPS stops anyone from seeing the URL you just visited so they can view it for themselves?

      ... it does, unless you've got some spyware installed phoning home every URL you visit. Or chrome, but I repeat myself.

      Thanks to SNI and IPv4 forcing everyone to host multiple sites on one address (but I repeat myself) SSL does now leak the hostname you are attempting to request during the handshake so the server can select a certificate.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    4. Re:Oh the irony by viperidaenz · · Score: 2

      OMG, the government might snoop on which government websites you visit by orchestrating a MITM attack!

      Or.... they could simply look at their own server logs?

  3. Confidence in their government by Ada_Rules · · Score: 4, Insightful

    So, we'll keep locking people in rape cages for growing plants, pulling guns on unarmed teens and going through security theater in air ports with a 90% detection failure rate....But finally I can do https://whitehouse.gov/ to vote on a bogus petition with no effect. My confidence is restored thusly.

    --
    --- Liberty in our Lifetime
  4. But encryption by penguinoid · · Score: 4, Funny

    Wait, I thought government as trying to fight encryption, not require it.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    1. Re:But encryption by viperidaenz · · Score: 4, Insightful

      No, they're trying to compromise encryption, not fight it.

  5. Re:Require .gov TLD ? by ShanghaiBill · · Score: 4, Informative

    and .edu, I'd guess.

    Those are almost all state, local, or private. But there are a few run by the feds, such as www.usma.edu and www.usna.edu, which default to vanilla http.

  6. Re:Born to fail by chill · · Score: 2

    Most .gov sites buy certs from normal CAs, like Thawte and Verisign.

    And the requirement isn't for just HTTPS-only, but for also implementing Strict Transport Security and suggesting using Perfect Forward Secrecy.

    --
    Learning HOW to think is more important than learning WHAT to think.
  7. Re:Require .gov TLD ? by WillAffleckUW · · Score: 2

    A big question for .edu is do research universities that get large amounts of funding have to go https as well.

    We know that this will apply to public-facing websites, so technically that would apply to a medical research hospital as part of a university (quite a few of those), but will it include small labs using fed grants as well? Presumably if external facing.

    A lot of such websites, like a crystallography beam website, are internal only, so they don't count, but it's not that big a deal. However, most of the certificates for those belong to the institutions themselves, and not the usual public grantors.

    --
    -- Tigger warning: This post may contain tiggers! --
  8. HSTS for all government sites by toejam13 · · Score: 2

    Just add the .gov and .mil top-level domains to HSTS preload lists. That'll close the code injection vector on port 80 before the redirect to HTTPS takes place. It also acts as a fire under all government sites - implement TLS or else HSTS browsers won't be able to access your site any further.

    1. Re:HSTS for all government sites by Irate+Engineer · · Score: 2

      Oh God! HTTPS! I'm fucking invisible now! Thank you Slashdot! (SIGNAL LOST)....

      --

      Left MS Windows for Linux Mint and never looked back!

      Vote for Bernie in 2016!

  9. Re:Require .gov TLD ? by Obfuscant · · Score: 2

    A big question for .edu is do research universities that get large amounts of funding have to go https as well.

    Not because of this directive. Federal grants do not a federal agency create.

    We know that this will apply to public-facing websites, so technically that would apply to a medical research hospital as part of a university

    Public-facing federal websites. If you are a federally operated University, yes. Otherwise, no. USNA, USAFA, West Point, yes. UW, no.

  10. FBI wants to kill HTTPS but WH wants it or NOT?! by denis-The-menace · · Score: 2

    MAKE UP YOUR FUCKING MINDS!

    Obama: Gov't Shouldn't Be Hampered By Encrypted Communications
    http://yro.slashdot.org/story/...

    FBI's James Comey: the Man Who Wants To Outlaw Encryption
    http://yro.slashdot.org/story/...

    Meanwhile ./ got their HTTPS sliced and DICED away.
    As I post this, it's plain text HTTP.

    --
    Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
  11. While they're at it... by HEMI426 · · Score: 2

    Can they mandate that all of the services their departments offer for employees for work play nice with the latest version of Java within X number of days after a new Java release? Can they mandate that their training stuff not use Flash, Silverlight, or some other non-standard garbage that causes issues for non-Windows users? Dumping Oracle Forms for a bunch of their purchasing systems would be swell, too. Switching VPN providers three times in two years, as well as a revolving door of AV clients is also kind of a drag, as is having several pieces of tech ram-rodded down our throats in emergency fashion, but never used again...The digital signature pad comes to mind.

    Cheers,

    One very annoyed Federal "IT Specialist"

  12. Re:This makes me worry. by heypete · · Score: 2

    Rather than take the time to understand their perimeter and data it exposes they want to "protect" everything with HTTPS. Which probably doesn't make sense for static, non interactive services.

    Perhaps, but it also helps protect against content injection or manipulation (e.g. ad injection by shady ISPs), snooping by third parties (e.g. hotel or coffee-shop networks), etc.

    Honestly, there's very little reason *not* to encrypt data these days.