back to article Lack of secure protocol puts US whistleblowers at risk, says ACLU

Responding to the recent proposal for a "HTTPS-Only Standard", the American Civil Liberties Union has stressed the value of a more thorough and timely implementation of functional transport encryption. The non-profit organization noted that at least 29 US federal websites do not currently use HTTPS to protect sensitive …

  1. streaky


    There are a growing number of parties suggesting the complete deprecation of HTTP and transition to a web entirely based upon HTTPS

    It's called HTTP/2. Before some smarty-pants corrects me I'd like to point out despite the spec there are reference browsers that will not support non-tls thereby HTTP/2 is de facto always-on HTTPS.

    Job done.

  2. This post has been deleted by its author

    1. Dan Paul

      It's really the....

      EYE of SAURON from LOTR.

      However, far be it for me to criticize the sexual fantasies of Peter Jackson

      1. Anonymous Coward
        Anonymous Coward

        Re: It's really....

        my bottom after a stonkingly hot curry:

        "You know of what I speak, Commentard, a great hog's eye, lidless, wreathed in flame."

    2. Sandtitz Silver badge

      The pussy is in the eye of the beholder.

  3. ZSn


    Perhaps someone more knowledgeable could enlighten me, but isn't the advice not to use starttls? The problem I was told was that it if the TLS negotiation fails it can fall back to unencrypted silently so you think that your protected but aren't. The advice was that you should use the tls directly by port 993 directly? Or is there some done deeper cryptographic reason I'm ignorant of?

    1. streaky

      Re: startls

      The problem I was told was that it if the TLS negotiation fails it can fall back to unencrypted silently so you think that your protected but aren't

      Depends how clients/servers are configured. Indeed the STARTTLS RFC explicitly states that it shouldn't fail silently. Real world however..

    2. Justin Pasher

      Re: startls

      The situation we are in now is a little like trying to put the toothpaste back in the tube.

      You can run an implicit SSL SMTP server on port 465 (port 993 is IMAPS, btw) and other could connect, but a much larger percentage of the SMTP servers out there don't do this versus those that do. The only way you would know is if you attempt a connection first (which will most likely fail), and then you have to fall back to regular port 25 anyway, thus increasing the overhead for sending emails.

      Fundamentally, an implicit SSL connection and a clear text connection where you issue STARTTLS are the same, but the advantage of STARTTLS is that you only have to connect to one port (which should always be open for any public SMTP server), and you can then secure up the session. Granted, you might have the fallback to an unecrypted session depending on the client/server config. It is possible to set up some SMTPd servers to require TLS when connecting to remote servers, even by using STARTTLS, but you still end up in the same situation (many servers do not support it).

      Now, if the government enable STARTTLS functionality for inbound and outbound, it still relies on the other client and server to support it. They can't force that to be the case, and if it's not supported on the other end, it defeats the implementation anyway. Thus, implementing the change might give some a false sense of security just to tick another box on the security checklist. I'm not saying they shouldn't implement this at all, however.

  4. CrashM

    The point?

    Whats the point when it has already been established that the NSA has already infiltrated most/all or the trusted certificate authorities?

    1. Yet Another Anonymous coward Silver badge

      Re: The point?

      And the story applies to federal websites where the NSA owns the people running the server anyway - there is no need for the government to hack communications sent to the government.

      1. Anonymous Coward
        Anonymous Coward

        Re: The point?

        "there is no need for the government to hack communications sent to the government."

        There certainly is. The whole point is not to help and facilitate whistleblowers, but to facilitate the identification and subsequent hounding of whistleblowers. Government is a bureaucracy that runs for its own benefit. It does not desire people to let on to its own failings, and the purpose of whistleblower policies and communications channels is (a) primarily for appearances sake, and (b) to catch those who might embarass the bureaucracy.

        1. Yet Another Anonymous coward Silver badge

          Re: The point?

          So having https to communicate the data directly to the same government you are trying to whistle-blow against is totally irrelevant.

  5. Tom 13

    This should work well.

    None of the sites can "afford" real certs so they'll self-issue. After that instead of using TLS they'll use SSL 2.0 or SSL 3.0 depending on WHICH critical flaw they've decided to defend against. At which point anybody with a properly patched system won't be able to access the site at all.

    And I wish I were joking. Within the last month I've had to inform some of our contractors who have been using vendor supplied laptops on our guest wireless network that they can't use the wireless for just that reason. After you configure the wifi, you're supposed to open a browser which redirects you to a website to log in with a user name and password. Yep, site unreachable for just those reasons.

    1. Anonymous Coward
      Anonymous Coward

      Re: This should work well.

      Self-issued certificates are a problem in another way too - most browsers treat self-certs like an alien invasion that is HAPPENING NOW! LOCK UP YOUR POSSESSIONS AND HIDE YOUR ANAL PROBES!!!!

      Sure, MITM, sure there's going to be a lot of people who get it wrong as described above; but surely HTTPS is better than no HTTPS?

      I would have HTTPS across everything, if only the browser warnings were less alarming (with a cert verification page somewhere on the site in question, not that anyone would ever check).

      It's not the extra £10/year for the certificates (although that is a factor); it's the fact that with all the pwnage of certificate authorities, you just can't trust the fuckers.

      1. Anonymous Coward
        Anonymous Coward

        Re: This should work well.

        I used to make this argument and get shouted down, but that was before Snowden. My argument was that if _we_ the site operator are providing expensive paid for data services to customers who are not putting their own sensitive data on our website, a self signed cert allows us to hand carry the customer the proper cert for installation. In this specific scenario it doesn't make things less insecure compared to a cert provider who almost certainly has been compromised in some way.

        I'm sure someone can tell me why I'm wrong.

        1. Anonymous Coward
          Anonymous Coward

          Re: This should work well.

          My private theory is that browser-makers have received a bung from the Combined Unified Nodule of Trust Sellers, or whatever it's called to make the warnings deliberately fearsome.

          And, of course, HTTPS Everything would inconvenience advertisers. In all honesty, I'd implement HTTPS just to piss them off, if for no other reason.

    2. Hargrove

      Re: This should work well.

      Ref @Tom13

      And I wish I were joking.

      But no joke, he's not joking. At least in the US the government is throwing billions at centralizing all data management in the name of "cybersecurity" to create an infrastructure that remains vulnerable to hackers, while randomly failing to accept credentials or to deliver content to authorized users.

      The root cause is hubris--the insane presumption that election to public office automatically makes those who govern experts in information systems technology and gives them the power to suspend the laws of mathematics and physics.

      It's a simple matter of having the right certification process, don't-ya know?

      From what I observe, this is going to get much worse before it gets better.

      1. Tom 13

        @ Hargrove Re: This should work well.

        On re-reading my comments, I realize that I dropped some context. I work for one of those US government agencies as a contractor. (Since I'm not authorized to speak for them, it's bad form for me to say which one.) And I'm referring to entirely too many of their sites. I'm just a private in this fight, not even a corporal. But I can see crap as well as the next guy.

        Also, I while hubris certainly contributes, I think there's an even more basic element. The whole thing is just too damn big. Nobody can hold enough of it in their head to have an idea of how it works. Add a bit of rushing, a dash of goldbricking, and maybe even a bit of featherbedding and you're doomed to failure even without the hubris. Yes, you can do a dive here or there and find really examples of horrendously shoddy work, but you can't build a picture of how it SHOULD work because there are too many rules with which to comply.

        1. This post has been deleted by its author

        2. Anonymous Coward
          Anonymous Coward

          Re: @ Hargrove This should work well.

          (previous comment deleted because I was just back from the pub)

          I always take the attitude of "What are we supplying? What do the users of that thing want/need to see/know?"

          Then build that. And argue about the rules later. Works for SMB; can't speak about government work.

        3. Anonymous Coward
          Anonymous Coward

          Re: @ Hargrove This should work well.

          but you can't build a picture of how it SHOULD work because there are too many rules with which to comply.

          A-fucking-men. If I've read something, I can recall it. Hubris, but well demonstrated. Reading 24/7/365+, it is completely impossible to read all the regulations with which one is supposed to comply and when you can (electro-magnetic hazards being one case I'm entirely too familiar with) you end up with contradictions which can not be resolved. Ignorance of the law is no excuse. Someday, perhaps in the far future, they'll drop that belief. In the mean time? {Shrug}?

  6. ecofeco Silver badge

    Lack of HTTPS is the problem?

    Whistleblowing in the US is literally risking your life and freedom.

    Lack of HTTPS is a very TINY part of the problem. Being a whistleblower in the US is the next best thing to being Satan incarnate. In a Baptist state. In church.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lack of HTTPS is the problem?

      Antony Beevor, not exactly a rabid Marxist, makes this comment in Berlin:

      Stalin [...] allowed commanders a latitude of action which their German counterparts envied, and, unlike Hitler, he would listen carefully to counter-arguments".

      The US, having defeated the Soviet Union, seems in some areas to be adopting a mindset more Stalinist than Stalin.

  7. Hargrove

    And furthermore . . .

    There is no question that the communications of whistleblowers should be secure. The question is, what is the nature of the threat to them, and who poses that threat.

    Given recent events (the targeting of Tea Party members by the IRS, and the sad case of Miriam Carey) those who govern have to be counted amongst the threat. However, the government is also, rightfully the proper recipient for reports of waste, fraud and abuse.

    I believe that the solution lies in establishing a proper balance between the powers of those who govern and the criminal penalties and sanctions for abuse of those powers. Those who abuse powers, whether for gain or ideology, have betrayed the public trust. They should be appropriately punished and barred for life from holding any position funded by any level of government.

    1. Anonymous Coward
      Anonymous Coward

      Here ye, here ye.

      Sewn up inside a sack full of weasels, then tossed into the river...

      The standard Roman punishment for corrupt officials, so why look any further... they made great roads as well.

      And I'd let the whistle-blowers tie the knot.... as a reward.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like