back to article NASA guy to White House: Be really careful with that HTTPS stuff

A webserver and database administrator at NASA has penned an epic plea on the White House's GitHub repository to include a waiver process as part of the HTTPS-Only project, which is intended to improve security for citizens visiting federal websites, but may interfere with niche services. Joe Hourclé has taken to GitHub to …

  1. Anonymous Coward
    Anonymous Coward

    Or, here's a thought...

    We could get governments to stop abusing constitutional powers and downright ignoring personal privacy.

    I know. Wild concept.

  2. Chris T Almighty

    Vested interest?

    Call me a cynic, but I'm guessing a lawmaker is about to land a well paid directorship at a certificate authority.

  3. Anonymous Coward
    Anonymous Coward

    HTTPS? Welcome to the last decade.

    HTTPS had its place and time, but for general use it is now almost obsolete given that:

    1. It doesn't offer deniability. This means, anyone can see that A is connecting to B.

    2. It is trivial to defeat by subverting the certification process, as shown by Lenovo and a number of network equipment manufacturers.

    Even though there are perfectly adequate uses for it (e.g., in RESTful APIs), given that the biggest challenge to privacy and security emanates these days from institutional actors, who are most interested on 1. and perfectly capable of 2., HTTPS for the sake of HTTPS borders on the pointless.

    1. Paul

      Re: HTTPS? Welcome to the last decade.

      before you get as far as HTTP or HTTPs, the computer will do a DNS lookup which will tell you what website the user is trying to access.

      the http connection is to an IP address, so that doesn't say too much, although SNI can occur in which case someone snooping learns something about what website the user is accessing.

      1. Anonymous Coward
        Anonymous Coward

        Re: HTTPS? Welcome to the last decade.

        > before you get as far as HTTP or HTTPs, the computer will do a DNS lookup

        Yeah, good point about DNS. The above scenario was under the assumption of a simplistic and perhaps somewhat unlikely TCP port 80 intercept.

  4. Dan Paul

    Personal Security Certificate

    Just wait until all the whining brings the advent of the "Personal Security Certificate"

    which you will have to purchase every year in order to be allowed to use the Internet. It will be as difficult to get as a new Social Security Number, get melded into a "National Identity Card", give the alphabet agencies your real identity immediately, and automatically stamps "666" into the back of your head in the middle of the night.

    All that and it will cost at least $100.00 annually. And it still won't be enough identification to allow online voting as it would prevent dead people from voting.

    Papers please!

    1. Anonymous Coward
      Anonymous Coward

      Re: Personal Security Certificate

      > Just wait until all the whining brings the advent of the "Personal Security Certificate"

      I have the impression you may know this already, but HTTPS does allow client authentication, and it is not infrequently used, e.g., in banking, government services, intranets, APIs, etc.

      It is in fact very common in Baltic countries, but not only. I have two government issued X.509 certificates from countries where I used to live that were used in exactly the way you describe (the physical tokens double as ID cards). It works OK for those limited cases where authentication really is necessary, such as filing taxes or requesting personal records, or banking, but one needs to remember to pull the card out of the reader as soon as one is finished (also, configuring your browser to ask you every time which certificate to present) as otherwise nothing prevents https://allyourdataarebelongto.us from sucking that information as soon as you navigate to their site to check the latest cat pictures.

  5. TeeCee Gold badge
    Facepalm

    the HTTPS-Only website's claims that "there is no such thing as insensitive web traffic".

    Presumably the people behind this are bureaucrats rather than techies, hence the fatuous bollocks.

    1. Robert Helpmann??
      Childcatcher

      bureaucrats rather than techies

      Presumably the people behind this are bureaucrats rather than techies, hence the fatuous bollocks.

      TeeCee, I will go you one further: there will be a waiver process, but the only waivers that will be granted are to the very government web sites that the process originally was meant to address because it would cause too much disruption to the customers and it entails a lot of work for the developers to implement HTTPS. After that, there will be an audit which will precipitate the immediate and ill-planned roll-out of the protocol resulting in many government portals going dark for weeks.

      1. chris 17 Silver badge

        Re: bureaucrats rather than techies

        It's trivial to put a load balancer or other device that can do https in front of the target http server(s).

        Making a mountain out of a mole hill this is.

        1. Anonymous Coward
          Anonymous Coward

          Re: bureaucrats rather than techies

          Tried the load balancer approach recently. Good idea, should've been easy, but no such luck.

  6. AnoniMouse

    So Google Ads all delivered via HTTPS. Web browsing slows down because of all those HTTPS connects. And - guess who - Google have just the answer: QUIC. How fortunate for ... Google.

    HTTPS-only is a mixed blessing, since it protects the bad as well as the good: it will be all the easier for barbed Ads to reach their targets.

    1. Paul

      QUIC has been deprecated in favour of HTTP2

      1. A Known Coward

        No it hasn't, Google are seeking to make QUIC the sucessor to HTTP2 and are pushing for standardisation. Additionally they are converting all Android and chrome apps using google services over to use QUIC instead of HTTP (1 or 2).

  7. Mark 85 Silver badge

    I've seen it happen in both government and when I worked for a university,

    Ah.. there's the problem. Not of the real world... So maybe the government and all the universities need to drop any pretext of security then....

  8. Your alien overlord - fear me

    I think it's an admin from the NSA, not NASA because it's easier to spy on the innocent using http.

  9. Mike 16 Silver badge

    So, Instead

    of the terrifying prospect of somebody, somewhere, knowing I sometimes visit static pages about such esoterica as computing history or steam engines, those sites should just disappear for want of willingness or ability to pay the right bribes to the right gate-keepers. Right.

    Yes, I know "it will all get better and eventually be sorted out". A dollar for for every time I've heard _that_ from a techno-hustler and I'd be able to retire. Oh, I am retired

  10. Kevin McMurtrie Silver badge

    No middle road to stop the man in the middle

    What the Internet really needs is widely supported digital signature standards. Most content is not private - you just don't want anyone altering the content during transport. A really, really simple way to do this for HTTP 1.1 content would be to add a digest field to chunked encoding headers. You'd get backwards compatibility, streaming support, and an insignificant protocol overhead.

    1. David Dawson

      Re: No middle road to stop the man in the middle

      With a clear text protocol it's then trivial to alter the digest in flight.

      To make this work, you need to establish a cryptographic chain of trust to ensure that the server you think is sending you data actually is.

      Establishing that trust is the key, and is what ssl certs are used for. You delegate trust to a central authority that acts as a mediator. That they are also used to establish a fully encrypted transport is a separate thing to my mind.

      All the financial and operational costs will still be there. The minimal runtime overhead of always on encryption on't be, but it's really small.

  11. Velv
    Boffin

    While I get where he's coming from, through his own arguements he's shot himself in the foot.

    "Due to many institutions having policies against FTP and peer-to-peer protocols, HTTP has become the de facto standard in sharing scientific data."

    So, the arguements is that some organisations need a waiver policy to permit FTP and peer-to-peer (and any other traffic type) depending on the requirements of the application (and I mean proper requirements like time critical delivery and minimal packet size, not just lazy coders who can't be arsed to learn about security when it's actually important). p.s. Those protocols may be secured on dedicated networks or in many other ways

    1. strum

      >So, the arguements is that some organisations need a waiver policy to permit FTP and peer-to-peer

      No. That isn't his argument. His argument is that many computers (libraries, schools, etc.) are locked down to forbid FTP & peer-to-peer, HTTP is the only viable transport for these computers to use.

      1. Anonymous Coward
        Anonymous Coward

        That's Velv's argument, and I'll second it. The web is not the internet - no need to play ball with bureaucrats who insist it is. Let their censored networks become useless.

  12. I. Aproveofitspendingonspecificprojects

    The Register was unable to contact NASA as of publication.

    Please explain.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like