"https://https..." is not from Department of Redundancy Department
March 17, 2015 6:16 PM Subscribe
Don't want some random hacker looking over your shoulder when you surf U.S. federal government websites? You may be in luck!
Today the White House announced a proposal — https://https.cio.gov/ — to make all public-facing U.S. government websites use HTTPS across the board within two years. Want to give your two cents on the idea? Forget writing a letter, make a pull request!
Are you more worried about government snooping, but hate paying for SSL certificates? Later this year... Let's Encrypt.
Today the White House announced a proposal — https://https.cio.gov/ — to make all public-facing U.S. government websites use HTTPS across the board within two years. Want to give your two cents on the idea? Forget writing a letter, make a pull request!
Are you more worried about government snooping, but hate paying for SSL certificates? Later this year... Let's Encrypt.
I mean, it does feel weird that the federal government is posting to github, so maybe that's less great. But it's an excellent way to do/make a show of outreach to the folks who'll be the most vocally interested.
posted by Going To Maine at 6:20 PM on March 17, 2015
posted by Going To Maine at 6:20 PM on March 17, 2015
Let's Encrypt sounds sweet - i have to scour the site, but if they have a way to issue client certificates, too, i'm in.
posted by j_curiouser at 6:24 PM on March 17, 2015
posted by j_curiouser at 6:24 PM on March 17, 2015
Maybe slashdot can start a subdomain to track interesting developments in this government initiative: http://https.slashdot.org/
posted by Joey Buttafoucault at 6:34 PM on March 17, 2015 [5 favorites]
posted by Joey Buttafoucault at 6:34 PM on March 17, 2015 [5 favorites]
Huh. Surely the Snowden disclosures had nothing to do with accelerating these initiatives and this is something they had been planning anyway.
posted by RobotVoodooPower at 6:42 PM on March 17, 2015
posted by RobotVoodooPower at 6:42 PM on March 17, 2015
Heh. Not surprised to see that Eric Mill and 18f are behind this. Eric's long been a pretty strong advocate for using HTTPS across the board, and (before going to work for the government) built shaaaaaaaaaaaaa, which was seemingly the tipping point that put people in gear to drop SHA-1. You might know him better as the creator of isitchristmas.com, or for the slew of stuff he built while working for the Sunlight Foundation.
Long story short, he's one of those people who totally deserve to be "Internet Famous," but won't take credit for any of it. The web's a better place because of him.
posted by schmod at 6:52 PM on March 17, 2015 [9 favorites]
Long story short, he's one of those people who totally deserve to be "Internet Famous," but won't take credit for any of it. The web's a better place because of him.
posted by schmod at 6:52 PM on March 17, 2015 [9 favorites]
The NSA has destroyed my faith in encryption anyway. Sure, it's better than not, but I'm making the assumption it's compromised at this point.
posted by cjorgensen at 7:06 PM on March 17, 2015 [2 favorites]
posted by cjorgensen at 7:06 PM on March 17, 2015 [2 favorites]
Why is it weird for the feds to post to github?
posted by daveliepmann at 7:06 PM on March 17, 2015 [3 favorites]
posted by daveliepmann at 7:06 PM on March 17, 2015 [3 favorites]
the dutch in old amsterdam do it
not to mention the finns
folks in siam do it
think of siamese twins
some argentines without means do it
people say in boston even beans do it
let's do it, let's encrypt
posted by uosuaq at 7:11 PM on March 17, 2015 [4 favorites]
not to mention the finns
folks in siam do it
think of siamese twins
some argentines without means do it
people say in boston even beans do it
let's do it, let's encrypt
posted by uosuaq at 7:11 PM on March 17, 2015 [4 favorites]
All new sites going forward is a great idea. The mandate to migrate existing sites to https-only within two years seems is far more iffy to me.
It seems like it will be a boondoggle for dirtbag federal contractors to demand exorbitant sums of money for minimal work to make legacy sites and applications complaint with the new policy. I could easily see some agencies deciding that it's not worth the money/trouble and pulling content offline instead, which would be pretty sad.
There's room for a risk-based approach, but I'd rather that something like weather data or agricultural statistical reports be served insecurely than see that information pulled down or have agencies spend thousands to contractors to enable https.
posted by zachlipton at 7:14 PM on March 17, 2015 [1 favorite]
It seems like it will be a boondoggle for dirtbag federal contractors to demand exorbitant sums of money for minimal work to make legacy sites and applications complaint with the new policy. I could easily see some agencies deciding that it's not worth the money/trouble and pulling content offline instead, which would be pretty sad.
There's room for a risk-based approach, but I'd rather that something like weather data or agricultural statistical reports be served insecurely than see that information pulled down or have agencies spend thousands to contractors to enable https.
posted by zachlipton at 7:14 PM on March 17, 2015 [1 favorite]
I'm all for preventing Man In The Middle attacks on my government website access. It's embarrassing not to have had it already.
Now if they could just get everyone caught up on web accessibility...
posted by oceanjesse at 7:20 PM on March 17, 2015
Now if they could just get everyone caught up on web accessibility...
posted by oceanjesse at 7:20 PM on March 17, 2015
I mean, it does feel weird that the federal government is posting to github, so maybe that's less great. But it's an excellent way to do/make a show of outreach to the folks who'll be the most vocally interested.
What's so weird about this? It's also not so much "a show of outreach" as "a straightforward thing to do" - there are actually quite a lot of smart tech folks working for the Federal Government, and logically, a lot of what they're working on are natural candidates for open-sourcing.
To put it another way: The Federal Government is a large organization with a lot of tech talent, and it shouldn't surprise you that its employees often use exactly the same tools as other people in the tech world to communicate & collaborate.
posted by Tomorrowful at 7:26 PM on March 17, 2015 [8 favorites]
What's so weird about this? It's also not so much "a show of outreach" as "a straightforward thing to do" - there are actually quite a lot of smart tech folks working for the Federal Government, and logically, a lot of what they're working on are natural candidates for open-sourcing.
To put it another way: The Federal Government is a large organization with a lot of tech talent, and it shouldn't surprise you that its employees often use exactly the same tools as other people in the tech world to communicate & collaborate.
posted by Tomorrowful at 7:26 PM on March 17, 2015 [8 favorites]
There are over 10,000 active government GitHub accounts, with 128 U.S. federal government GitHub organizations. There is an enormous amount of federal government activity of GitHub, and that's not weird—it's precisely as it should be.
(Disclosure: I have worked for the federal government, and committed code to GitHub on its behalf.)
posted by waldo at 7:27 PM on March 17, 2015 [10 favorites]
(Disclosure: I have worked for the federal government, and committed code to GitHub on its behalf.)
posted by waldo at 7:27 PM on March 17, 2015 [10 favorites]
Not surprised to see that Eric Mill and 18f are behind this.
That's vaguely reassuring, because otherwise a free certificate authority with no visible revenue screams honeypot.
posted by figurant at 7:32 PM on March 17, 2015
That's vaguely reassuring, because otherwise a free certificate authority with no visible revenue screams honeypot.
posted by figurant at 7:32 PM on March 17, 2015
I thought the point was that some parts of the federal government apparently *want to see everything you do*, so signing up with their encryption project might seem a bit sketchy. Does the Swedish Pirate Party have any github projects going?
posted by uosuaq at 7:35 PM on March 17, 2015
posted by uosuaq at 7:35 PM on March 17, 2015
uosuaq: "I thought the point was that some parts of the federal government apparently *want to see everything you do*, so signing up with their encryption project might seem a bit sketchy. Does the Swedish Pirate Party have any github projects going?"
The parts of the government that want that are legislatively banned from spying on citizens. I can think of little reason they'd want to spy on traffic to the government itself. Besides which, they already can spy on targeted people, if you make the leap of assuming somewhere within the deep bowels of your root certicates is a CA the NSA either owned or pwned.
posted by pwnguin at 7:42 PM on March 17, 2015
The parts of the government that want that are legislatively banned from spying on citizens. I can think of little reason they'd want to spy on traffic to the government itself. Besides which, they already can spy on targeted people, if you make the leap of assuming somewhere within the deep bowels of your root certicates is a CA the NSA either owned or pwned.
posted by pwnguin at 7:42 PM on March 17, 2015
Well, I guess the fact that they're legislatively banned from spying on citizens is why LOVEINT is a word I invented just now.
(I'm not actually all that paranoid about this stuff, but it's something we should keep an eye on, because somebody has to custodiet ipsos custodes.)
posted by uosuaq at 7:51 PM on March 17, 2015
(I'm not actually all that paranoid about this stuff, but it's something we should keep an eye on, because somebody has to custodiet ipsos custodes.)
posted by uosuaq at 7:51 PM on March 17, 2015
The NSA has destroyed my faith in encryption anyway. Sure, it's better than not, but I'm making the assumption it's compromised at this point.
Compromised by a government isn't the same as compromised by some random identity thief that wants to steal your money. Even if you aren't private you can still be secure.
posted by dilaudid at 8:03 PM on March 17, 2015
Compromised by a government isn't the same as compromised by some random identity thief that wants to steal your money. Even if you aren't private you can still be secure.
posted by dilaudid at 8:03 PM on March 17, 2015
This pleases me. I'm going to put in a ticket to transition one of the sites I run to https-only tomorrow! (We already have a cert to use for the transactional bits, we just need to poke at apache to make it always https instead of just the transactional subdomains). Lets Encrypt looks pretty excellent too- it will mean less grumpiness with respect to managing our certificates.
My center's Github organization has over 80 repos with all sorts of good stuff on it.
posted by rockindata at 8:10 PM on March 17, 2015
My center's Github organization has over 80 repos with all sorts of good stuff on it.
posted by rockindata at 8:10 PM on March 17, 2015
The parts of the government that want that are legislatively banned from spying on citizens.
Hello from 2015, time traveler! You should be hearing soon from a guy named Edward Snowden who has some interesting news...
posted by indubitable at 8:15 PM on March 17, 2015 [10 favorites]
Hello from 2015, time traveler! You should be hearing soon from a guy named Edward Snowden who has some interesting news...
posted by indubitable at 8:15 PM on March 17, 2015 [10 favorites]
So put every gov site behind a load balancing proxy with a url rewrite rule. Done in one day.
posted by blue_beetle at 9:13 PM on March 17, 2015
posted by blue_beetle at 9:13 PM on March 17, 2015
Honest question: What is the utility of SSL in this case, when a governmental agency (or a malicious third party) can compromise the certificate chain, become a certificate authority and effectively issue bogus identities and intercede/modify traffic, similar to what occurred with VASCO/DigiNotar?
posted by a lungful of dragon at 10:18 PM on March 17, 2015 [1 favorite]
posted by a lungful of dragon at 10:18 PM on March 17, 2015 [1 favorite]
Does this mean we'll see some convergence between Github and Gitmo?
posted by George_Spiggott at 10:27 PM on March 17, 2015
posted by George_Spiggott at 10:27 PM on March 17, 2015
All this enthusiasm about https is great, but just for the love of god make sure you detect and fix non secure inclusions.
posted by Joe Chip at 10:28 PM on March 17, 2015
posted by Joe Chip at 10:28 PM on March 17, 2015
Yeah, so this basically means that our govt. want to be the only man in the middle, right?
posted by mcrandello at 10:37 PM on March 17, 2015
posted by mcrandello at 10:37 PM on March 17, 2015
So put every gov site behind a load balancing proxy with a url rewrite rule. Done in one day.
Just in case this isn't a joke, forcing everything over SSL is no easy task.
Here are some things that suck:
SSL certs expire extra couple years (although the Feds probably have a CA that will issue certs with a longer expiry). But if they have their own CA, what the fuck is the plan if we have to revoke the root cert.
Hell, cert management in general.
Now any sort of network debugging will require a bunch of work to do SSL proxying.
Hardcoded HTTP links all over the place.
Origin mismatch errors (because different protocols count as different origins) that cause insecure content to get blocked by Chrome (although Safari and Firefox probably are aggressive about this nowadays).
Deciding where to do the SSL termination. Some services are internal, so they don't need SSL. But maybe they need to exposed, so do we terminate at a load balance somewhere. If they are SSL, how do we make sure all the internal clients have the right CAs. How do make sure people don't skip the VIP and go right to one of the instances? Etc. Etc.
posted by sideshow at 10:43 PM on March 17, 2015 [2 favorites]
Just in case this isn't a joke, forcing everything over SSL is no easy task.
Here are some things that suck:
SSL certs expire extra couple years (although the Feds probably have a CA that will issue certs with a longer expiry). But if they have their own CA, what the fuck is the plan if we have to revoke the root cert.
Hell, cert management in general.
Now any sort of network debugging will require a bunch of work to do SSL proxying.
Hardcoded HTTP links all over the place.
Origin mismatch errors (because different protocols count as different origins) that cause insecure content to get blocked by Chrome (although Safari and Firefox probably are aggressive about this nowadays).
Deciding where to do the SSL termination. Some services are internal, so they don't need SSL. But maybe they need to exposed, so do we terminate at a load balance somewhere. If they are SSL, how do we make sure all the internal clients have the right CAs. How do make sure people don't skip the VIP and go right to one of the instances? Etc. Etc.
posted by sideshow at 10:43 PM on March 17, 2015 [2 favorites]
Honest question: What is the utility of SSL in this case, when a governmental agency (or a malicious third party) can compromise the certificate chain, become a certificate authority and effectively issue bogus identities and intercede/modify traffic, similar to what occurred with VASCO/DigiNotar?
The utility is that traffic between you and governmental agencies is more difficult for malicious third parties to intercept.
posted by RonButNotStupid at 2:58 AM on March 18, 2015
The utility is that traffic between you and governmental agencies is more difficult for malicious third parties to intercept.
posted by RonButNotStupid at 2:58 AM on March 18, 2015
> Compromised by a government isn't the same as compromised by some random identity thief that wants to steal your money. Even if you aren't private you can still be secure.
We have different definitions of secure. If you're using a compromised lock it's not much of a lock. If the government has the keys it's safe to assume anyone that wants them will also have them.
posted by cjorgensen at 6:09 AM on March 18, 2015
We have different definitions of secure. If you're using a compromised lock it's not much of a lock. If the government has the keys it's safe to assume anyone that wants them will also have them.
posted by cjorgensen at 6:09 AM on March 18, 2015
Yeah, so this basically means that our govt. want to be the only man in the middle, right?
Huh. That doesn't even make sense.
Why would the government need to execute a man-in-the-middle attack against their own servers? They already control one end of the connection.
posted by schmod at 7:44 AM on March 18, 2015 [5 favorites]
Huh. That doesn't even make sense.
Why would the government need to execute a man-in-the-middle attack against their own servers? They already control one end of the connection.
posted by schmod at 7:44 AM on March 18, 2015 [5 favorites]
If you're using a compromised lock it's not much of a lock. If the government has the keys it's safe to assume anyone that wants them will also have them.
It's worth noting that any of the certificates can be compromised in this way. Do you trust the government more or less than Verisign?
posted by schmod at 7:45 AM on March 18, 2015 [1 favorite]
It's worth noting that any of the certificates can be compromised in this way. Do you trust the government more or less than Verisign?
posted by schmod at 7:45 AM on March 18, 2015 [1 favorite]
The federal government doesn't have its own certificate authority- we use the same CAs that everyone else does- Verisign, Digicert, etc.
posted by rockindata at 9:34 AM on March 18, 2015
posted by rockindata at 9:34 AM on March 18, 2015
This is a good step. I also found the proposal to be extremely well-written compared to most tech stuff I have to read, so good job, government. I also used the SHAAAAAAAAA tool and realized my company's main site has an SHA-1 cert so I've started the process of replacing it. We use an external company for IT stuff so it's good that I happened to notice this.
And yeah ... upgrading a legacy site to use HTTPS is not necessarily easy at all. URL rewrite to force people to HTTPS is great but the millions of scripts, service calls, and various other crap in the site needs to be changed to use HTTPS too to avoid the mixed content warnings. I've also run into places where some of the external references are not available at HTTPS URLs at all, so then you have to decide whether to get rid of them, etc.
posted by freecellwizard at 12:27 PM on March 18, 2015
And yeah ... upgrading a legacy site to use HTTPS is not necessarily easy at all. URL rewrite to force people to HTTPS is great but the millions of scripts, service calls, and various other crap in the site needs to be changed to use HTTPS too to avoid the mixed content warnings. I've also run into places where some of the external references are not available at HTTPS URLs at all, so then you have to decide whether to get rid of them, etc.
posted by freecellwizard at 12:27 PM on March 18, 2015
Sure, it's good to protect your traffic from third parties, but I'm usually more worried about the government itself. Obviously, all your traffic is decrypted when it reaches the government server. A better solution for now, IMO, is an encrypted VPN. At least that way, your queries aren't associated with your IP address, and you can't be spied on by, or via, your ISP.
You should already be using something like HTTPS Everywhere, since you can't rely on web sites to implement HTTPS by default. Really, encryption should be the default standard for all web and internet traffic. There's no legitimate reason, that I can think of, to send plaintext traffic over any protocol.
posted by sudon't at 12:33 PM on March 18, 2015
You should already be using something like HTTPS Everywhere, since you can't rely on web sites to implement HTTPS by default. Really, encryption should be the default standard for all web and internet traffic. There's no legitimate reason, that I can think of, to send plaintext traffic over any protocol.
posted by sudon't at 12:33 PM on March 18, 2015
Because of children and drugs!
posted by cjorgensen at 1:59 PM on March 18, 2015
posted by cjorgensen at 1:59 PM on March 18, 2015
Huh. That doesn't even make sense.
posted by schmod at 10:44 AM on March 18
Yeah, nevermind, I believed I had something of a thought there but there's no way to phrase it that doesn't sound either idiotic or crazypants.
posted by mcrandello at 9:15 PM on March 21, 2015
posted by schmod at 10:44 AM on March 18
Yeah, nevermind, I believed I had something of a thought there but there's no way to phrase it that doesn't sound either idiotic or crazypants.
posted by mcrandello at 9:15 PM on March 21, 2015
HTTPS isn't much better than HTTP. It can be easily circumvented by MiTM attacks, for one. If you think that it's "hard" to bypass SSL encryption, then you're mistaken, even by modern algorithm methods.
There's no way that'll fix everything. In fact, it'll fix very little.
Schmod, you're missing the point: it's not the government that'd be performing the MiTM attack. Anyone can, and retrieve the data, without ever touching the server, directly.
posted by Grease at 1:45 PM on April 9, 2015
There's no way that'll fix everything. In fact, it'll fix very little.
Schmod, you're missing the point: it's not the government that'd be performing the MiTM attack. Anyone can, and retrieve the data, without ever touching the server, directly.
posted by Grease at 1:45 PM on April 9, 2015
« Older He has a face like a hoosier Michael Angelo | Journey to the center of the Earth. Newer »
This thread has been archived and is closed to new comments
posted by Going To Maine at 6:18 PM on March 17, 2015 [1 favorite]