How Serious Is James Clapper About Cybersecurity When His Office Can't Even Get Its SSL Certificate Right?
from the just-asking dept
James Clapper and the Office of the Director of National Intelligence (ODNI) have been among the loudest FUD-spewers concerning the “threats” to cybersecurity out there, and the need for massively dangerous “cybersecurity” legislation that would really just open up the ability for the Intelligence Community to get more access to private data. However, security researcher and ACLU guy Chris Soghoian noticed yesterday that the SSL security certificate on the ODNI website isn’t even valid:
The Director of National Intelligence (@ODNIgov) can't be bothered install a valid HTTPS cert on their website #cyber pic.twitter.com/iiPIkFEfhD
— Christopher Soghoian (@csoghoian) July 23, 2014
Filed Under: cybersecurity, fud, james clapper, odni, ssl
Comments on “How Serious Is James Clapper About Cybersecurity When His Office Can't Even Get Its SSL Certificate Right?”
He doesn’t care about cybersecurity. That’s not their real agenda.
Erm..
You realise there is still a problem with the SSL here on Techdirt right?? According to Chrome there are still elements that are not secure! Opera throws an error about akamai technologies when I try to visit TD.
Re: Erm..
Techdirt isn’t a “cybersecurity” website. And its SSL certificate is valid.
Re: Re: Erm..
I never said the cert was invalid. I said “there is still a problem with SSL here on Techdirt”
Re: Erm..
Where do you see that? My Chrome doesn’t say anything about elements being insecure. This is a legitimate question not sarcasm. I want to know where my local security might be lacking.
Re: Re: Erm..
“Your connection to http://www.techdirt.com is secured with 128-bit encryption. However, this page includes other resources that are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.”
and
“This page includes a script from unauthenticated sources.”
I’d post a pic but I don’t think that is possible on Techdirt. This warning has been on the site since it went SSL.
Re: Re: Re: Erm..
I didn’t ask what warning, I asked where. I’m not seeing this anywhere in Chrome or Firefox. Where do I see this message?
And keep in mind that if you use a proxy, it can screw with SSL connections.
Re: Re: Re:2 Erm..
On mine, the padlock symbol on the address bar has a warning symbol. Opera plain refuses to open the page unless I OK the warning.
Re: Re: Re:3 Erm..
Funny, Opera for me just plain shows it as an “insecure” site as if it didn’t use SSL at all.
Re: Re: Re:2 Erm..
oh, i am sure he sorry. The message appears on the screen, have you checked your screen?
Re: Re: Re:2 Erm..
I’m seeing it as a yellow, traffic-sign-esque triangle in Chrome on the padlock next to the ‘https://etc.’ The main elements of TD are (I hope) still secure, but the ads and/or 3rd-party elements are unprotected, hence the yellow rather than the more in-your-face red.
Re: Re: Re:3 Erm..
also no proxy, just HTTPS Everywhere and blocking 3rd-party cookies, but it remains present when I disable those.
Re: Re: Re:2 Erm..
The message doesn’t actually display in Chrome or Firefox unless you click the secure connection icon. In Chrome, it should have a yellow triangle to indicate only partial security. And in Firefox, instead of a padlock, it will be a gray triangle-with-an-exclamation point.
It is the ads that are on plain http connections and causing this issue, though. So if you are viewing the site with an ad-blocker, it should actually come up totally secure.
Re: Re: Re:2 Erm..
The warning varies. As I understand it, some of the content brought in from external sources (e.g. ads) don’t always comply with the SSL so you might see the Chrome padlock change occasionally from green to yellow. Other browsers will deal with this in different ways, but it will be intermittent depending on what content is served to you, whether you have ad blockers, etc.
Re: Re: Re: Erm..
That warning means the ads and/or other third party resources are not being loaded with SSL. If the ad sources have an SSL, then Techdirt can and should connect to them with https. If such connections are not available, though, I don’t think there’s anything Techdirt can do.
Re: Re: Re:2 Erm..
They could not place ssl with non-ssl. thats basic stuff.
Re: Re: Re:3 Erm..
Assuming that the content you need is available with an SSL connection, sure. But when your site makes third-party requests, you cannot guarantee all your content is available with SSL. That’s up to the third party.
Re: Re: Re:4 Erm..
its up to the site owner to ensure their site is operating up to the satisfaction of its users.
If you cannot guarentee all the content on the page (however delivered) isn’t going to be secure, you can remove the third party content or accept that you users are going to get warnings and either avoid your site, complain, or not care.
Imagine you are at amazon trying to check out with a credit card and you got this warning. How would you feel if amazon said, that is the responsiblity of the third parties?
Re: Re: Re:5 Erm..
Well, I’m not entering any sensitive info here. Just entering a comment that will be public anyway. Only thing sensitive here is the login info for folks with registered accounts.
And I can check where the form is submitting my data and make sure that that is secure at least.
But I think a more likely point is also a site with a forum with user generated content. Especially one allowing inline images. The forum should use SSL to protect user authentication information. But the users certainly aren’t going to be only using https links in their image tags. So such a forum is guaranteed mixed-content warnings.
Of course that doesn’t apply to Techdirt. No inline images here. The only problem is the advertisers. In this case, the advertisements are part of the Techdirt business model. They cannot be removed without also eliminating what I have been led to believe is an important revenue stream. So the ads have to stay.
Now, there are far more factors than just SSL in choosing who one uses as an advertiser. If the advertiser with the otherwise best deal doesn’t offer SSL, then that puts you in a tight spot, doesn’t it?
In any case, the info actually going to Techdirt still remains secure. So there are only two impacts here:
1. Someone with access to your line can see which advertisements you get. And that’s gonna happen any time you visit a page using the same advertisement system. So nothing to really worry about, unless the advertiser is storing sensitive information in its tracking cookies.
2. Users who don’t know what mixed content warnings indicate might get spooked by the “Caution” indicator in their browser.
Quite frankly, I find the second issue to be of greatest concern, and only for the folks running this site.
Re: Re: Re:6 Erm..
The problem as I see it with mixed content warnings is that as the average user can not tell which parts are secure and which are not, if they start seeing this warning on trusted sites they will learn to ignore the warning on any site. This ultimately leads to a less secure internet.
Re: Re: Re:7 Erm..
Indeed. With that in mind, the Opera approach may be best. Just display it as if there was no SSL at all. It wouldn’t look any different from the majority of unsecured sites out there. And sites that absolutely require the security will continue to avoid mixed content to make sure the padlock does show up.
Re: Re: Re:5 Erm..
“Imagine you are at amazon trying to check out with a credit card and you got this warning.”
You surely understand the massive grand canyon-sized difference between that example and people viewing an opinion blog, right?
Re: Re: Read
Hm, let’s see… You’re using a web browser developed by a for-profit, US-based multinational advertising/surveillance conglomerate/NSA “corporate partner” (i.e., collaborator) and PRISM-participant; your “local security” is mainly lacking in the existence area.
Read about NSA whistle-blower Ed Snowden’s leaks, and read Bruce Schneier’s blog if you’re fool enough to trust Go-Ogle (or any other major US-based tech firms).
Re: Re: Erm..
It’s the Akamai certificate that doesn’t pass scrutiny. The error is that the name of the techdirt site on the cert does not match the name of the name of the techdirt site itself. I’m guessing this is related to the switch to https, but I haven’t investigated enough to know for certain.
Chrome’s cert checking has a number of holes. Just because it doesn’t flag a cert doesn’t automatically mean the cert is OK.
Re: Re: Re: Erm..
Yes, it’s the switch to https. If you click past the ‘don’t go here’ you won’t even get the site. I explained elsewhere that akamai’s “edgesuite” network which serves 80 is a completely different set of servers than those that serve 443 (which they used to call “edgekey” but now are branded something silly). When you go to https on edgesuite, you’re connecting to their netstorage service. You get this with every akamai customer that’s on their edgesuite network.
Just use addons everyone should be using and you’ll be fine.
Re: Re:
thanks for the security pro-tip!
I get a certificate popup every time I visit TechDirt on my Android phone.
Re: Response to: Anonymous Coward on Jul 24th, 2014 @ 8:05am
I get a security warning occasionally on my android…I think it happens when there’s a .pdf on a page
Buy guys, if he properly encrypted his site it would make it harder for the nsa to protect him from terrorists!
ODNI is what you would refer to as an 'anti role model'
Do the opposite of what it recommends
Worse when i go look
Well, when I go look at the base URL I get something worse – lol:
http://tinypic.com/r/15ft9qx/8
Which says they (may be) trying to steal my information
To be fair, TD did have a “not all content is secured” for a while…..
Re: Re:
It still does.
https://www.techdirt.com/articles/20140717/03325427904/top-eu-politicians-call-taftattips-corporate-sovereignty-provisions-to-be-removed.shtml
This just proves he is right
Do you people not see the real problem? The real problem is that they have to go to all that trouble to secure their own site which only proves that the world is too dangerous, and we need some serious mollycoddlying so that they can keep us safe. That is assuming that they can be bothered to go to that much trouble to do their job. Which, they apparently cannot do. Then again, maybe they use this to find the bad guys: http://www.cyclismo.org/cgi-bin/spirit.cgi
It is not configured for https
When I go to https://www.dni.gov/ and I accept the bad cert it does not take me to the site. It takes you to a page that says the site is down. They are using akamai as a CDN and have not configured it for https access.
Is this the guy that charges $1 million for his “cybersecurity expertise”?
Eh, I’ve set up a lot of Akamaized sites in the past 15 years. That’s not a real problem: it’s someone who went to an akamaized http site through https. You have to pay extra money to get their SSL versions, and then you have to CNAME your domain to another set of servers, their special SSL servers.
If you put https in front of any site CNAME’d to Akamai that isn’t paying for the extra SSL, you’ll get basically the same error, because it sends you through their old edge network–it supports SSL, but it’s for serving individual assets like images or swfs.
It’s probably historically related to the way they rolled out different offerings. Basically, for this site, they didn’t want to spend a few thousand extra a month for SSL offerings.
Re: Re:
Don’t confuse the discussion with things like facts and reality. People are just looking for the fast slam, the caught you moment more than anything real.
It may be that they are in the middle of a transition from direct hosting to using edge providers to give better service and to mitigate attacks on their servers. It’s pretty normal. The SSL certificates will be all screwed up for a while, it’s not a simple job to do when you are handling a network with so many possible exit URLs.
But hey, it’s fun to slam them for trying to make things better, right?
Re: Re: Re:
Akamai is a good way to mitigate attacks, but it’s an expensive one. I’ve just seen this particular error before, because my last company had a pretty deal with Akamai–we got around 7 cents a gig transferred. Not necessarily good compared to other CDNs but pretty good for Akamai. We would see this error because we’d get customers on Akamai, and then they’d do a security scan, it would come back highlighting that the SSL cert didn’t match, and asked to fix it. Then, we’d say, ok, just pay for an Akamaized SSL site, which will cost you 5 times as much, plus you have to use Akamai as your SSL vendor, which makes netsol look cheap, and then they’d come back and say “no thanks”.
I found some other sites that will give you the same error:
https://www.pepsi.com
https://www.mountaindew.com
You can tell which sites are on the Akamai SSL network by seeing what they’re CNAME’d to. If it’s edgesuite.net, it’ll give a cert error. If it’s edgekey.net, it’s good:
[agarvin@atg-home logs]$ dig +short http://www.pepsi.com
http://www.pepsi.com.edgesuite.net.
[agarvin@atg-home logs]$ dig +short http://www.aa.com
aa.com.edgekey.net.
Note this domain:
[agarvin@atg-home logs]$ dig +short http://www.dni.gov
http://www.dni.gov.edgesuite.net.
Look at the cert with openssl s_client and you’ll see the CN is for a248.e.akamai.net.
Re: Re: Re:
“Don’t confuse the discussion with things like facts and reality.”
We don’t mind that, what are the facts?
“It may be…”
Oh, you have none, you just wanted to inject a random theory that might allow you to white knight someone criticised in the article? Never mind.
Re: Re: Re: Re:
Oh, you have none
Trying to pick a fight? You lose every time.
Fact: They are using akamai.
Fact: In a transition time, their existing certificate would not be accurate.
Fact: Their site is still secure, and in fact is likely more secure as a result of a move to use Akamai.
Your facts? name calling. Yup, you lost again.
Re: Re: Re:2 Re:
“is likely more secure as a result of a move to use Akamai.”
How so?
Re: Re: Re:3 Re:
There is a lot of potential reasons why caching / edge services tend to help security. The biggest in general is that it’s much harder for people to DDoS the site, unless they know it’s original IP and attack it directly that way. Otherwise, their web traffic is generally sent to the cache, which acts as a sink (a really big one).
Not sure about Akamai itself, but similar services will also sink or stop attempts to connect ssh, ftp, mail, and the like, removing the burden entirely from your servers – at least for people who try to connect by name rather than IP.
http://www.akamai.com/html/solutions/security-services.html
Basically, the fewer people who interact directly with your server, the less chance of problems.
Re: Re: Re:4 Re:
DDOS doesn’t count as a security problem in the sense being discussed here. Such attacks don’t result in a security breach or the exposure of secure data.
As to stopping connections to ssh, etc., that’s beyond trivial to do in the first place by just not running those servers. It takes more technical expertise to set up the servers than to not set them up, so the technically clueless are already safe on those fronts by default.
On your last point, that’s true but the increased security you get that way is pretty minimal.
On the flip side, if you’re relying on an edge provider to enhance your security, you’re making a security trade-off. Those providers are well known, desirable attack vectors and draw the attention of far more, and far more skilled, crackers than your servers are likely to draw. And once they’re hacked, all servers using them become vulnerable.
Edge providers are very useful for traffic management, but thinking that using them gives a security benefit beyond what you can easily do for yourself is dubious at best.
Re: Re:
That’s a fair comment, but it’s still a poor showing for the official site for a national security agency to be showing as potentially insecure, whatever the reason.
A man-in-the-middle attack? Against ODNI? By NSA?
One of NSA’s clever tricks is to redirect traffic to go through a snoop node before it gets to the server. The snoop node pretends to be the real server and presents a forged SSL certificate so that it can decrypt both sides of the conversation. Browsers may detect the fake certificate and give a warning, but most users pay no attention and just click on through.
he’s not really into cybersecurity this is about collection , threat management /assessment, and good ole blackmail.
Java is affected too
download.oracle.com gives the same security error. And it names the exact same domain as the one masquerading as download.oracle.com as apparently is masquerading as http://www.dni.gov: a248.e.akamai.net.
Widespread MITM attack on security-sensitive sites? DNI, downloads for the (often buggy) Java plugin …
SOP for the GOV
A LOT of GOVernment sites have invalid certs. This seems to be SOP.
Im sorry the whole thing here is based around trusting the CERT authorities , maybe the Government does trust them. Moxie says they cant be trusted, certs are copied and passed around if that is the case then a self signed cert like this is more secure
Moxie Marlinspike google read and watch video’s and in a few minutes you we see SSL is broken and useless
https://www.youtube.com/watch?v=pDmj_xe7EIQ