So we cant trust HTTPS then.
NT
Black Hat Barack has issued a Memorandum – an executive order in all but name, and an instrument the president has used more than any of his predecessors – to all Federal website sysadmins, informing them to deprecate HTTP and roll on with HTTPS. The HTTPS-Only Standard was proposed by the US' Chief Information Officer Tony …
"You can't trust anything or anyone."
So why are you even communicating? That ALONE implies some level of trust. If you really CAN'T trust anything OR anyone, you'd be alone in an old lead mine in the middle of nowhere, subsisting using nothing but your wits and your experience.
You could take the NSA's approach where the reason for communication is to spread disinformation but everyone listening to that communication knows that it's disinformation. Fortunately we know that they know it's disinformation so we know the truth won't be believed. Of course, they know that we know that they know so would expect the truth and we can't have that. But if we know they know we know that they know would they know that too? Hmm, this leaves us with two options, say nothing or say everything with a sly smile so they think you're up to something.
Does this assist the final exhausion of the US of A's IPv4 stock or (via SNA) disenfranchise the millions of XP/IE8 taxpayers who are unable or unwilling to upgrade or shall we be finally mandated into IPv6?
Might be good for all concerned if the Feds gave Let's Encrypt the certificate contract!
What does HTTPS have to do with IPv6?
There is no named virtual host support in https 1.1 So you pretty much have to have website == IP.
As result as quite rightly noted by the GP you run out of v4 addresses very fast and you have to start deploying v6 or consolidating websites.
"There is no named virtual host support in https 1.1 So you pretty much have to have website == IP"
What.
There's no such thing as "https 1.1" what are you talking about.
SNI support starts around where TLS 1.0 was supported (FF2, IE7 et al). It's ancient technology and every browser you care about supports it.
"SNI support starts around where TLS 1.0 was supported (FF2, IE7 et al). It's ancient technology and every browser you care about supports it."
Thank you for correcting my dyslectic moment. Taxpayers are users not browsers. The majority in some demographics are still using non-SNI compliant browsers (notably XP/IE8). It may be because they are old, it may be that they are poor or just deaf but they are amongst the people most in need of government services. "Get a new browser" is not useful and many wouldn't even know what you are talking about.
Which means, to be on the safe side, if you attempting to offer a universal service you should not rely on SNI. That means an IP for every HTTPS host and one less for everybody else. Downvoting me for pointing out this awkward fact won't make it disappear.
Stuart 22
If your equipment does not support SNI it does not need to be on the internet at all and almost certainly is at risk of being exploited by an unpatched vulnerability. XP is dead, so is IE. There is some reprieve as you can still run Chrome or Firefox on it, solving the SNI issue for now. I personally don't care if they don't know what a new browser is. At this point all their computer is, is a jump point for spam and viruses.
If your car is a dangerous old piece of crap the state doesn't have to register it for use on the road. While we don't have registration to get on the Internet (thank god), we can change people's behavior by making them upgrade to, at least somewhat more secure browsers if they want their social security or food stamps.
Pixl97, Please come back to reality along with the US government.
A person with an XP/IE8 box likely can't afford anything newer.
Just because you or Barry demand it does not mean it's feasible to change.
Just like an old car they both continue to work even though they might be obsolete and outdated.
Figure a different way to make it safe and stop telling people to change when they clearly are unable to.
Otherwise you are just being a dick about it.
>Figure a different way to make it safe and stop telling people to change when they clearly are unable to.
Sorry, that's not how security works. When something is insecure it is insecure no matter how poor or stupid people are. Yes, that is a dickish attitude, yet no the less true. Old versions of IE are broken far past SNI issues, they don't support the new TLS versions that fix many security issues, and they don't support PFS.
Even with SNI you get a base website that can give you a message. In this case the message should be download Chrome or Firefox or get a new operating system.
"When something is insecure it is insecure no matter how poor or stupid people are. Yes, that is a dickish attitude, yet no the less true."
Sorry, but that's not how PEOPLE work. Telling people to do something contrary to what they're used to usually leads to defiance or subversion. Just as trying to force people to change passwords usually results in simple schemes or Post-It notes.
Security is NOTHING if you can't solve for the user. Unfortunately, it seems you can't fix stupid.
"Even with SNI you get a base website that can give you a message. In this case the message should be download Chrome or Firefox or get a new operating system."
And if the system is locked down and can't change its software AND is routinely used for Internet-based operations on orders from up top?
The majority in some demographics are still using non-SNI compliant browsers (notably XP/IE8)
What demographic, is it actually true even. These numbers are based on estimation rather than direct measurement.
I own a site that's used heavily by normal people in South America, Africa and Asia; if it was salt measurements on a packet of crisps it'd say "trace". Even directly measuring this stuff is sketchy; < 1% of my IE users are using version 999.1.
999.1; let that sink in... That's measured by JS not the UA string.
Even if any of this is relevant it doesn't mean it's actually sane to pander to these people. Most people on XP should expect they have a serious security problem anyway and use Firefox/Chrome/Something Else.
They'd just use those Linux DVD/CD's as coasters or make pretty mobiles. I wouldn't inflict that migration on anyone or did you mean that to include trashing their data?
Naw, just send 'em a new computer if you're that desperate to migrate them. Oh, and a nice government person who's there to help them. [Funded by those nice NSA billions.]
/sarcasm
Not everything I use (UK) government websites for needs encryption (in fact the majority of it doesn't)
Certainly tax returns etc need to be secured, but checking the requirements for various items (passport application, driving license application, various benefits and tax breaks) would benefit more from a simple page, and a local cache than they would from encryption...
The point is that what one wishes to keep private differs from person to person. So while some stuff should obviously be secure as you mention and some other doesn't - it saves having a department (with all its protocols, mission aims, HR policies and coffee machines) to decide on the stuff in the middle and coming up with enough inconsistencies to keep the El Reg journos in beer for the next decade.
Oh and some stuff which doesn't have, say, user interaction now may in the future and going from http to https is not always simple. So build it secure in the first place or when there is a major revision.
Just sayin'
If it takes user data then it goes HTTPS - but for the most part we could do with HTTPA (A for authenticated) rather than S. Note that a selection of links "salary between" is considered user data.
As for someone finding out I'm on holiday - I don't put it in my out of office system, but it's still pretty obvious to anyone who walks down the road... I'd rather they robbed me while I wasn't there anyway.
Checking what benefits I'm looking for - are they for me or a friend/colleague? I recently looked up data on the married persons allowance - that potentially means I'm married, or that I might intend to get married, or that I know someone in one of those two camps...
Given that my marriage is a matter of public record anyway I hardly find that earth shattering.
I'm happy for various information to come as postcards, particularly as, by doing so, I improve the rate of delivery I get, and reduce the cost to the public purse.
"HTTPS also guarantees that the data hasn't been tampered with."
It doesn't NECESSARILY guarantee that, especially for ephemeral sites where someone can start an HTTPS proxy with a fake certificate.
But here, we're talking the US Government who WILL have a genuine secure certificate whose public traces are pretty much all around the country (basically, anyone who does web business with the US will have a trace). The preponderance of evidence already out there would help make it easier to notice if someone's trying to impersonate the government with a secure proxy. Basically, with all government communication in future over HTTPS, odds will be passing fair no one's listening in on the encrypted connection. That can only help.
"Basically, with all government communication in future over HTTPS, odds will be passing fair no one's listening in on the encrypted connection"
except the government of course... but that can't be helped, obs.
- well, unless you get your version of govt. information from Wikileaks. (Maybe faster + better interface, too?)
You'd still prefer that the government doesn't know your business. Even your business with the government.
However, "Data Protection Act" type rules that limit how personal data can be held and used generally don't apply to the governments that make the rules. Because why would they limit their powers? To be topical, you need a Magna Carta type constitutional provision for that. A law that limits what even the government can do.
"With http you might be able to stay anonymous."
How when you STILL have to tell the website who you are? As for proxies and such, one mandatory JavaScript (as in enable it or you can't get in) and you're IP is traced just as easily: even through stuff such as TOR. And then there's the whole user registration jazz that can ID you to the person (and for the really important stuff will probably link you to government-known IDs like SSN or mailing address), IP be damned.
BWAH-HA! BWAH-HA-HA! BWAH-HA-HA-HAH! BWAH-HA-HA-HAH-HA! BWAH-HA-HA-HAH-HA-HA! BWAH-HA-HA-HAH-HA-HA-HA-HA-HA!
You so funny! Six years now I be govie contractor. Six years now the first thing I have to do before I take my IT Security Awareness Training is ignore the broken certificate on the website.
BTW: Overheard in the hall today: "Yeah we could get a DOD certificate for free, but most people don't have the root DOD certificates in their browsers." I don't know personally, but since he's the chief sys admin (yes he hates that monkey Windows crap and prefers Linux) I expect he probably knows what he's talking about.
Correct, not everything NEEDS to be encrypted, but the vast majority of users are neither willing nor capable of making an informed decision on which bits should be. Taking a safety first stance, encrypting everything is (in theory at least) safer and cheaper for the public than trying to educate them.
The only caveat is that there should be an option to turn it off (an exception process) where it is proven that the encryption is detrimental to the service and not required. But I can't think of a public facing service that would fit into this category
>"checking the requirements for various items (passport application, driving license application, various benefits and tax breaks) would benefit more from a simple page, and a local cache than they would from encryption..."
So I know you're going on holiday soon so I can plan who and when to burgle. I know you'll be getting a new car in the not-so-distant future, so I can advertise accordingly. And I know what tax breaks you're looking into, so I know how many dependents you have and also have a reasonable handle on how much you earn.
In addition, I can splice your internet connection, adjust the content being delivered to you and give you advice that strongly encourages the use of my (paid-for) services.
There's almost no downside (HTTPS is easy as pie to set up these days and computers have long-since gotten past the point where you'll notice a performance hit). I don't see what your argument here is based on.
Every site you use everywhere needs encryption. This site needs encryption.
The more encryption you have elsewhere helps secure the stuff that really really needs to be secure, aside from the fact I could figure out when to rob you by the stuff you don't have encrypted.
Because you're not bright enough to see the implications of sending everything in the clear doesn't mean everybody should be under threat.
For browsing static content, yes, unprotected HTTP is normally fine (give or take HTTP tampering, like the NSA's "QUANTUM INSERT" stuff, and the usual adware crud). Having said that, though, you need to be running over HTTPS to get the benefit of things like SPDY - so if you're using Chrome or Firefox, you'll probably see a performance *gain* overall from browsing via HTTPS rather than HTTP, even on typical static pages.
Even without SPDY, once you start encrypting some of your pages/sites, the extra cost to encrypt the whole lot should be pretty trivial - I rather like the idea of encrypting all the traffic as far as possible, not just selected bits.
Ordering all federal website to use HTTPS does _not_ mean they want to ensure the users' privacy. It just means that since they have the data anyway (they're running the servers, after all), they just want to make sure that nobody _else_ gets to listen in too.
While still a good thing for users (and encouragement for other sites to go the same way), just don't be fooled into thinking that this will make your traffic more secure against official US snooping.
I know, for most readers of this comment this is obvious - but not for the general public. The just see the shiny lock icon or green address bar and think they're "safe."
No, let ME clarify just one thing for you. First, I want you to go read this web page:
http://www.dhs.gov/homeland-security-presidential-directive-12
Done? Okay, you see where that's a Presidential Directive? Not a Memorandum, a Presidential Directive?
Did you notice the date on it? Yeah, yeah, I know you're more concerned that it was W than the date, but look at the date anyway.That's right: 2004 Almost 11 full years ago. It was supposed to be implemented in 5 years. No, it still hasn't been fully implemented. Yes to this day many of us still use username and password for elevated privileges.
This https directive won't fare any better for the same reason that one didn't:
- standard foot dragging
- rules lawyering (e.g., this is an intranet page, not a web page so it doesn't need a cert)
- agencies don't have the money to implement the directive
HSTS is still vulnerable as ISPs and malware can hijack the handshake that occurs just before the transition to HTTPS. It's best to go HTTPS from the go. As for broken links, don't many browsers automatically try the HTTPS version if the HTTP version draws an error? Suppose all previous HTTP pages return a 301 which refers to its HTTPS counterpart? Is that a correct 301 response?
>HSTS is still vulnerable
No, not if your url is part of the HSTS list.
https://hstspreload.appspot.com/
>As for broken links, don't many browsers automatically try the HTTPS version if the HTTP version draws an error?
Not that I'm aware of unless the server sends a HSTS flag, with that flag it retries the link as https and automatically uses https for all further urls to that domain.
I keep running into this myself as well as people yelling /calling for me with a big WTF? Hopefully they'll try their site from outside the firewall sometimes although the GAO has been to the Emperor's New Security clothes for years now. And it still ain't fixed so good luck with that.
Seeing as though the ACLU is wrong about 99% of the time and the POTUS is wrong even more often in addition to illegally using his position to circumvent or enact new laws, I'd say switching to HTTPS is not going to fix anything. In fact it's sad to know that HTTPS is already compromised and a new internet standard is being formulated as HTTPS is anything but secure.
I have noticed how some of the terminally uninformable in the USA seem to be shouting to the rest of the planet that they will do specifically the opposite of what their democratically elected, US born, Christian president advises.
If Barry suggests that HTTPS is a good thing, there will be some who make a point of never using it again. If he then suggests encrypting all email, the crazies will doggedly use plain text.
The process could carry on until they are walking about in their underwear and making their plans over the PA system.
We are unlikely to know if their Pres' has thought of this but it sounds a fun idea.