back to article Obama issues HTTPS-only order to US Federal sysadmins

Black Hat Barack has issued a Memorandum – an executive order in all but name, and an instrument the president has used more than any of his predecessors – to all Federal website sysadmins, informing them to deprecate HTTP and roll on with HTTPS. The HTTPS-Only Standard was proposed by the US' Chief Information Officer Tony …

  1. Tom 7

    So we cant trust HTTPS then.

    NT

    1. Captain Hogwash Silver badge
      Holmes

      Re: So we cant trust HTTPS then.

      You can't trust anything or anyone.

      1. Ole Juul

        Re: So we cant trust HTTPS then.

        Actually, you can trust everything or everybody if you want. You just have to live with the consequences thereof.

      2. Charles 9

        Re: So we cant trust HTTPS then.

        "You can't trust anything or anyone."

        So why are you even communicating? That ALONE implies some level of trust. If you really CAN'T trust anything OR anyone, you'd be alone in an old lead mine in the middle of nowhere, subsisting using nothing but your wits and your experience.

        1. Eddy Ito

          Re: So we cant trust HTTPS then.

          You could take the NSA's approach where the reason for communication is to spread disinformation but everyone listening to that communication knows that it's disinformation. Fortunately we know that they know it's disinformation so we know the truth won't be believed. Of course, they know that we know that they know so would expect the truth and we can't have that. But if we know they know we know that they know would they know that too? Hmm, this leaves us with two options, say nothing or say everything with a sly smile so they think you're up to something.

          1. channel extended

            Re: So we cant trust HTTPS then.

            I say we should start making random statements, NOT* threats! This will confuse things enough that the resulting confusion will deserve a BIG box of popcorn.

            * Now I have covered my a$$. BTW wheres the popcorn icon?

        2. Tom 13

          Re: So we cant trust HTTPS then.

          You can't trust lead mines. Poison you they will. What you really want is just a deep salt mine.

          1. Anonymous Coward
            Anonymous Coward

            Re: So we cant trust HTTPS then.

            "You can't trust lead mines. Poison you they will. What you really want is just a deep salt mine."

            Don't you need heavy metal to block the x-rays and the ground-penetrating radar?

  2. Stuart 22

    For the want of another IP ...

    Does this assist the final exhausion of the US of A's IPv4 stock or (via SNA) disenfranchise the millions of XP/IE8 taxpayers who are unable or unwilling to upgrade or shall we be finally mandated into IPv6?

    Might be good for all concerned if the Feds gave Let's Encrypt the certificate contract!

    1. Anonymous Coward
      WTF?

      Re: For the want of another IP ...

      Eh?

      What does HTTPS have to do with IPv6?

      1. Voland's right hand Silver badge

        Re: For the want of another IP ...

        What does HTTPS have to do with IPv6?

        There is no named virtual host support in https 1.1 So you pretty much have to have website == IP.

        As result as quite rightly noted by the GP you run out of v4 addresses very fast and you have to start deploying v6 or consolidating websites.

        1. streaky

          Re: For the want of another IP ...

          "There is no named virtual host support in https 1.1 So you pretty much have to have website == IP"

          What.

          There's no such thing as "https 1.1" what are you talking about.

          SNI support starts around where TLS 1.0 was supported (FF2, IE7 et al). It's ancient technology and every browser you care about supports it.

          1. Stuart 22

            Re: For the want of another IP ...

            "SNI support starts around where TLS 1.0 was supported (FF2, IE7 et al). It's ancient technology and every browser you care about supports it."

            Thank you for correcting my dyslectic moment. Taxpayers are users not browsers. The majority in some demographics are still using non-SNI compliant browsers (notably XP/IE8). It may be because they are old, it may be that they are poor or just deaf but they are amongst the people most in need of government services. "Get a new browser" is not useful and many wouldn't even know what you are talking about.

            Which means, to be on the safe side, if you attempting to offer a universal service you should not rely on SNI. That means an IP for every HTTPS host and one less for everybody else. Downvoting me for pointing out this awkward fact won't make it disappear.

            1. pixl97

              Re: For the want of another IP ...

              Stuart 22

              If your equipment does not support SNI it does not need to be on the internet at all and almost certainly is at risk of being exploited by an unpatched vulnerability. XP is dead, so is IE. There is some reprieve as you can still run Chrome or Firefox on it, solving the SNI issue for now. I personally don't care if they don't know what a new browser is. At this point all their computer is, is a jump point for spam and viruses.

              If your car is a dangerous old piece of crap the state doesn't have to register it for use on the road. While we don't have registration to get on the Internet (thank god), we can change people's behavior by making them upgrade to, at least somewhat more secure browsers if they want their social security or food stamps.

              1. Dan Paul

                Re: For the want of another IP ...

                Pixl97, Please come back to reality along with the US government.

                A person with an XP/IE8 box likely can't afford anything newer.

                Just because you or Barry demand it does not mean it's feasible to change.

                Just like an old car they both continue to work even though they might be obsolete and outdated.

                Figure a different way to make it safe and stop telling people to change when they clearly are unable to.

                Otherwise you are just being a dick about it.

                1. pixl97

                  Re: For the want of another IP ...

                  >Figure a different way to make it safe and stop telling people to change when they clearly are unable to.

                  Sorry, that's not how security works. When something is insecure it is insecure no matter how poor or stupid people are. Yes, that is a dickish attitude, yet no the less true. Old versions of IE are broken far past SNI issues, they don't support the new TLS versions that fix many security issues, and they don't support PFS.

                  Even with SNI you get a base website that can give you a message. In this case the message should be download Chrome or Firefox or get a new operating system.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: For the want of another IP ...

                    "When something is insecure it is insecure no matter how poor or stupid people are. Yes, that is a dickish attitude, yet no the less true."

                    Sorry, but that's not how PEOPLE work. Telling people to do something contrary to what they're used to usually leads to defiance or subversion. Just as trying to force people to change passwords usually results in simple schemes or Post-It notes.

                    Security is NOTHING if you can't solve for the user. Unfortunately, it seems you can't fix stupid.

                    "Even with SNI you get a base website that can give you a message. In this case the message should be download Chrome or Firefox or get a new operating system."

                    And if the system is locked down and can't change its software AND is routinely used for Internet-based operations on orders from up top?

            2. streaky

              Re: For the want of another IP ...

              The majority in some demographics are still using non-SNI compliant browsers (notably XP/IE8)

              What demographic, is it actually true even. These numbers are based on estimation rather than direct measurement.

              I own a site that's used heavily by normal people in South America, Africa and Asia; if it was salt measurements on a packet of crisps it'd say "trace". Even directly measuring this stuff is sketchy; < 1% of my IE users are using version 999.1.

              999.1; let that sink in... That's measured by JS not the UA string.

              Even if any of this is relevant it doesn't mean it's actually sane to pander to these people. Most people on XP should expect they have a serious security problem anyway and use Firefox/Chrome/Something Else.

    2. Test Man

      Re: For the want of another IP ...

      What does XP/IE8 have to do with the exhaustion on IPv4?

      You DO know that IPv6 has nothing to do with OSes, and in fact even Windows 95 has IPv6 capability?

    3. Tom Chiverton 1 Silver badge

      Re: For the want of another IP ...

      " millions of XP/IE8 taxpayers "

      Get them off that virus attracting shit. Post them a Linux CD :-)

      1. sabroni Silver badge
        Happy

        Re: Post them a Linux CD

        Hate Mail.

      2. Anonymous Coward
        Anonymous Coward

        Re: For the want of another IP ...

        They'd just use those Linux DVD/CD's as coasters or make pretty mobiles. I wouldn't inflict that migration on anyone or did you mean that to include trashing their data?

        Naw, just send 'em a new computer if you're that desperate to migrate them. Oh, and a nice government person who's there to help them. [Funded by those nice NSA billions.]

        /sarcasm

  3. John Robson Silver badge

    Why?

    Not everything I use (UK) government websites for needs encryption (in fact the majority of it doesn't)

    Certainly tax returns etc need to be secured, but checking the requirements for various items (passport application, driving license application, various benefits and tax breaks) would benefit more from a simple page, and a local cache than they would from encryption...

    1. Stuart 22

      Re: Why?

      The point is that what one wishes to keep private differs from person to person. So while some stuff should obviously be secure as you mention and some other doesn't - it saves having a department (with all its protocols, mission aims, HR policies and coffee machines) to decide on the stuff in the middle and coming up with enough inconsistencies to keep the El Reg journos in beer for the next decade.

      Oh and some stuff which doesn't have, say, user interaction now may in the future and going from http to https is not always simple. So build it secure in the first place or when there is a major revision.

      Just sayin'

      1. John Robson Silver badge

        Re: Why?

        If it takes user data then it goes HTTPS - but for the most part we could do with HTTPA (A for authenticated) rather than S. Note that a selection of links "salary between" is considered user data.

        As for someone finding out I'm on holiday - I don't put it in my out of office system, but it's still pretty obvious to anyone who walks down the road... I'd rather they robbed me while I wasn't there anyway.

        Checking what benefits I'm looking for - are they for me or a friend/colleague? I recently looked up data on the married persons allowance - that potentially means I'm married, or that I might intend to get married, or that I know someone in one of those two camps...

        Given that my marriage is a matter of public record anyway I hardly find that earth shattering.

        I'm happy for various information to come as postcards, particularly as, by doing so, I improve the rate of delivery I get, and reduce the cost to the public purse.

    2. Jon 37 Silver badge

      Re: Why?

      HTTPS also guarantees that the data hasn't been tampered with. E.g. if a malicious or just buggy HTTP transparent proxy mangles the page, you may not notice; with HTTPS you would. For legal advice, that matters.

      1. Charles 9

        Re: Why?

        "HTTPS also guarantees that the data hasn't been tampered with."

        It doesn't NECESSARILY guarantee that, especially for ephemeral sites where someone can start an HTTPS proxy with a fake certificate.

        But here, we're talking the US Government who WILL have a genuine secure certificate whose public traces are pretty much all around the country (basically, anyone who does web business with the US will have a trace). The preponderance of evidence already out there would help make it easier to notice if someone's trying to impersonate the government with a secure proxy. Basically, with all government communication in future over HTTPS, odds will be passing fair no one's listening in on the encrypted connection. That can only help.

        1. Robert Carnegie Silver badge

          Re: Why?

          "Basically, with all government communication in future over HTTPS, odds will be passing fair no one's listening in on the encrypted connection"

          except the government of course... but that can't be helped, obs.

          - well, unless you get your version of govt. information from Wikileaks. (Maybe faster + better interface, too?)

          1. Charles 9

            Re: Why?

            "except the government of course... but that can't be helped, obs."

            Except they don't have to listen on the encrypted connection. As they're one end of the conversation, they can just read things in the clear AFTER they're decrypted.

            1. Robert Carnegie Silver badge

              Re: Why?

              You'd still prefer that the government doesn't know your business. Even your business with the government.

              However, "Data Protection Act" type rules that limit how personal data can be held and used generally don't apply to the governments that make the rules. Because why would they limit their powers? To be topical, you need a Magna Carta type constitutional provision for that. A law that limits what even the government can do.

          2. Tom 13

            @Robert Carnegie

            And I seem to recall one of the old arguments in favor of http over https was that with https the browser has to tell the website who you are. With http you might be able to stay anonymous.

            1. Charles 9

              Re: @Robert Carnegie

              "With http you might be able to stay anonymous."

              How when you STILL have to tell the website who you are? As for proxies and such, one mandatory JavaScript (as in enable it or you can't get in) and you're IP is traced just as easily: even through stuff such as TOR. And then there's the whole user registration jazz that can ID you to the person (and for the really important stuff will probably link you to government-known IDs like SSN or mailing address), IP be damned.

        2. Tom 13

          Re: US Government who WILL have a genuine secure certificate

          BWAH-HA! BWAH-HA-HA! BWAH-HA-HA-HAH! BWAH-HA-HA-HAH-HA! BWAH-HA-HA-HAH-HA-HA! BWAH-HA-HA-HAH-HA-HA-HA-HA-HA!

          You so funny! Six years now I be govie contractor. Six years now the first thing I have to do before I take my IT Security Awareness Training is ignore the broken certificate on the website.

          BTW: Overheard in the hall today: "Yeah we could get a DOD certificate for free, but most people don't have the root DOD certificates in their browsers." I don't know personally, but since he's the chief sys admin (yes he hates that monkey Windows crap and prefers Linux) I expect he probably knows what he's talking about.

    3. Velv
      Childcatcher

      Re: Why?

      Correct, not everything NEEDS to be encrypted, but the vast majority of users are neither willing nor capable of making an informed decision on which bits should be. Taking a safety first stance, encrypting everything is (in theory at least) safer and cheaper for the public than trying to educate them.

      The only caveat is that there should be an option to turn it off (an exception process) where it is proven that the encryption is detrimental to the service and not required. But I can't think of a public facing service that would fit into this category

    4. DanDanDan

      Re: Why?

      >"checking the requirements for various items (passport application, driving license application, various benefits and tax breaks) would benefit more from a simple page, and a local cache than they would from encryption..."

      So I know you're going on holiday soon so I can plan who and when to burgle. I know you'll be getting a new car in the not-so-distant future, so I can advertise accordingly. And I know what tax breaks you're looking into, so I know how many dependents you have and also have a reasonable handle on how much you earn.

      In addition, I can splice your internet connection, adjust the content being delivered to you and give you advice that strongly encourages the use of my (paid-for) services.

      There's almost no downside (HTTPS is easy as pie to set up these days and computers have long-since gotten past the point where you'll notice a performance hit). I don't see what your argument here is based on.

    5. streaky

      Re: Why?

      Every site you use everywhere needs encryption. This site needs encryption.

      The more encryption you have elsewhere helps secure the stuff that really really needs to be secure, aside from the fact I could figure out when to rob you by the stuff you don't have encrypted.

      Because you're not bright enough to see the implications of sending everything in the clear doesn't mean everybody should be under threat.

    6. Robert Carnegie Silver badge

      "NHS Choices"

      http://www.nhs.uk/conditions/Impetigo/Pages/Introduction.aspx NSFW (maybe)

    7. James 100

      Re: Why?

      For browsing static content, yes, unprotected HTTP is normally fine (give or take HTTP tampering, like the NSA's "QUANTUM INSERT" stuff, and the usual adware crud). Having said that, though, you need to be running over HTTPS to get the benefit of things like SPDY - so if you're using Chrome or Firefox, you'll probably see a performance *gain* overall from browsing via HTTPS rather than HTTP, even on typical static pages.

      Even without SPDY, once you start encrypting some of your pages/sites, the extra cost to encrypt the whole lot should be pretty trivial - I rather like the idea of encrypting all the traffic as far as possible, not just selected bits.

      1. Charles 9

        Re: Why?

        SPDY is being replaced with a related system and incorporated into HTTP/2, which WILL require encrypted connections from the go.

        As for caching, you can always hash static content.

  4. A Non e-mouse Silver badge

    Encryption Protocol

    Whilst they may have said that all servers need to be running HTTPS, there's no mention on what encryption protocol to run with HTTPS. After all, they don't want to make the NSA's life harder than it already is.

    ROT13 anyone?

    1. craigb

      Re: Encryption Protocol

      Everything is bigger and better in the US of A.

      I recommend ROT26.

      Twice as secure as ROT13.

      1. Tom 13

        @craigb

        No, that's TEXAS. Here in DC we have to use ROT7 to save money.

    2. streaky

      Re: Encryption Protocol

      I'd imagine that would come under the purview of the usual NIST guidelines, once the declaration is used it would go into more detail about what to use and what not to use.

  5. Alister

    Call-Me-Dave is going to have to do some serious back-pedalling, now POTUS has come up with this...

    1. Afernie

      "Call-Me-Dave is going to have to do some serious back-pedalling, now POTUS has come up with this..."

      He's unlikely to understand what any of it means, so I doubt it.

  6. regadpellagru

    Why now ?

    TLS today shows its shortcomings (static and unmanaged list of trusted CA, some of them that don't have a clue), after years of good services, and just today, Obama signs this off ?

    Crazy.

  7. Frank Bitterlich

    Just to clarify one thing...

    Ordering all federal website to use HTTPS does _not_ mean they want to ensure the users' privacy. It just means that since they have the data anyway (they're running the servers, after all), they just want to make sure that nobody _else_ gets to listen in too.

    While still a good thing for users (and encouragement for other sites to go the same way), just don't be fooled into thinking that this will make your traffic more secure against official US snooping.

    I know, for most readers of this comment this is obvious - but not for the general public. The just see the shiny lock icon or green address bar and think they're "safe."

    1. Tom 13

      Re: Just to clarify one thing...

      No, let ME clarify just one thing for you. First, I want you to go read this web page:

      http://www.dhs.gov/homeland-security-presidential-directive-12

      Done? Okay, you see where that's a Presidential Directive? Not a Memorandum, a Presidential Directive?

      Did you notice the date on it? Yeah, yeah, I know you're more concerned that it was W than the date, but look at the date anyway.That's right: 2004 Almost 11 full years ago. It was supposed to be implemented in 5 years. No, it still hasn't been fully implemented. Yes to this day many of us still use username and password for elevated privileges.

      This https directive won't fare any better for the same reason that one didn't:

      - standard foot dragging

      - rules lawyering (e.g., this is an intranet page, not a web page so it doesn't need a cert)

      - agencies don't have the money to implement the directive

  8. Anonymous Coward
    Anonymous Coward

    the intent

    "all browsing activity should be considered private and sensitive". - is an important declaration, whether implemented badly or not.

    1. Yet Another Anonymous coward Silver badge

      Re: the intent

      private to everyone except us - is also an important declaration.

  9. Anonymous Coward
    Anonymous Coward

    I just hope

    That they do it the right way, where they shut off port 80 and only accept https connections on port 443.

    1. pixl97

      Re: I just hope

      And break every old link in existence, not a good idea. It's better to use HSTS and certificate pinning. Any port 80's are automatically upgraded to 443 by the browser. Too bad Microsoft is only getting on board with HSTS on Windows 10.

      1. Charles 9

        Re: I just hope

        HSTS is still vulnerable as ISPs and malware can hijack the handshake that occurs just before the transition to HTTPS. It's best to go HTTPS from the go. As for broken links, don't many browsers automatically try the HTTPS version if the HTTP version draws an error? Suppose all previous HTTP pages return a 301 which refers to its HTTPS counterpart? Is that a correct 301 response?

        1. pixl97

          Re: I just hope

          >HSTS is still vulnerable

          No, not if your url is part of the HSTS list.

          https://hstspreload.appspot.com/

          >As for broken links, don't many browsers automatically try the HTTPS version if the HTTP version draws an error?

          Not that I'm aware of unless the server sends a HSTS flag, with that flag it retries the link as https and automatically uses https for all further urls to that domain.

          1. Charles 9

            Re: I just hope

            "No, not if your url is part of the HSTS list."

            But if your site is NOT on the list, the ISP or whatever can intercept the HSTS flag and erase it, preventing your browser from going opportunistically secure.

  10. Captain Server Pants

    When it comes to network security

    Three people can keep a secret if two of them are dead.

  11. Brian Souder 1

    Certificates

    One of my clients that deals with DoJ and DoD stuff was having problems with the websites not long ago. All of the website certificates had expired.

    1. Anonymous Coward
      Anonymous Coward

      Re: Certificates

      I keep running into this myself as well as people yelling /calling for me with a big WTF? Hopefully they'll try their site from outside the firewall sometimes although the GAO has been to the Emperor's New Security clothes for years now. And it still ain't fixed so good luck with that.

  12. nilfs2

    The ones controlling the certificates have the power

    Who controls the certificate issuers? Perhaps they are cooperating with the NSA handing them decription keys.

    1. Charles 9

      Re: The ones controlling the certificates have the power

      Thing is, in this case the US Government controls the NSA: in particular, the President and the Secretary of Defense (the NSA falls under the DoD).

  13. Anonymous Coward
    Anonymous Coward

    Really?

    Seeing as though the ACLU is wrong about 99% of the time and the POTUS is wrong even more often in addition to illegally using his position to circumvent or enact new laws, I'd say switching to HTTPS is not going to fix anything. In fact it's sad to know that HTTPS is already compromised and a new internet standard is being formulated as HTTPS is anything but secure.

  14. Spanners
    Pint

    He has a cunning plan.

    I have noticed how some of the terminally uninformable in the USA seem to be shouting to the rest of the planet that they will do specifically the opposite of what their democratically elected, US born, Christian president advises.

    If Barry suggests that HTTPS is a good thing, there will be some who make a point of never using it again. If he then suggests encrypting all email, the crazies will doggedly use plain text.

    The process could carry on until they are walking about in their underwear and making their plans over the PA system.

    We are unlikely to know if their Pres' has thought of this but it sounds a fun idea.

  15. Richard Altmann

    Funny

    I always read

    Here´s The Tit uPS

  16. DanielR

    Black Hat Barack ! classic !

    Didn't they brag about cracking SSL and VPN encryption ? Is this an irony ? Are they bluffing ?

    These black hat criminals are certainly sick that is for sure.

  17. Wzrd1 Silver badge

    Obama ordered what Bush ordered

    I wonder if all those sysadmins will bother following orders this time?

    Nah, there are far too many princesses out there.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like