US CIO defies the FBI, orders HTTPS for all government websites


#1

[Read the post]


#2

Someone in the US government with brains??? Totally amazing development!


#3

The government prefers HTTPS as an encryption standard, because they can easily forge certificates and intercept HTTPS communications.

HTTPS is centralized around notaries, which are large corporate and government institutions which we trust to authenticate certificates. If the NSA compromises a notary, they can eavesdrop on a connection without having to compromise either the client or the server directly.

HTTPS is weak security, and we should be sceptical that it’s actually thwarting mass-surveillance.


#4

No, they don’t even need to do that. Since you are communicating with the government, they have the keys and can decrypt everything anyway.

This in no way is a spit in the eye of Comey. Obviously they can read everything that you send to them, encrypted or not, because they own the servers.


#5

In this particular case, yes. But the push is part of an overall PR effort to pressure everyone to “secure their communications” by using HTTPS everywhere. They’re trying to promote HTTPS as a security solution, but it’s a very conveniently flawed one.


#6

This may be technically true, but there have been only a handful of instances of forged certificate ever showing up in the wild. Browsers like Chrome and Firefox have certificate pinning support which can detect forged certificates (automatic on Chrome for all google properties and can be implemented via a header (HPKP) for third-parties for a specified periods of time).

Pinning combined with public notification would make it extremely easy to detect forged certificates in the wild so that they could be revoked. This attack vector’s days are numbered.


#7

Not as flawed as clear text.


#8

It’s rare, but some of the few instances we’ve seen have been attacks by national governments against their entire population, which is a huge deal even if it only happens once.

Aside from which, the more effective way to exploit HTTPS is via targeted attacks which will never be seen “in the wild”, because they only affect particular targets.

It’s true that this is “better than clear text”, but I think that’s a dangerously complacent standard to measure our security against. This late in the game, we can’t just pat ourselves on the back for being somewhat more secure than we were in 1995. The important adversaries are no longer lone hackers or even criminal gangs, they are the most well-funded militaries in the world. Failing to raise our standards is effectively putting our heads in the sand.


#9

This topic was automatically closed after 5 days. New replies are no longer allowed.