Confirming what we've all suspected — that some spy agencies employ incompetent posers — the United States' Office of the Director of National Intelligence has failed to secure the SSL certificate for their own website. Exposing them to deserved public ridicule.
To be generous, one of the comments suggests: "No this is Akamai not able to do a good job on HTTPS. I've seen this a lot! Pay more money is what Akamai says to fix it." Still, were there any QA applied to the site, one would expect this would have been detected before it went live.
This leads to a broader question: what security mistakes (government or otherwise) have you encountered?
[UPDATE: Replaced a duplicate link with a link to the DNI website.]
This discussion has been archived.
No new comments can be posted.
DNI James Clapper's Office Can't Do SSL Right
|
Log In/Create an Account
| Top
| 9 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 1, Informative) by Anonymous Coward on Saturday July 26 2014, @05:06AM
Direct link to the incorrectly secured website is here: https://www.dni.gov/ [dni.gov]
That should cause your browser to display the same error about the certificate being for the wrong domain.
(Score: 2) by No.Limit on Saturday July 26 2014, @08:29AM
It's probably akamai's fault.
I've been getting the same for this domain: https://download.oracle.com/ [oracle.com]
So annoying!
(Score: 1, Interesting) by Anonymous Coward on Saturday July 26 2014, @08:36AM
It is the same cert on both sites.
But where does the buck stop?
I mean you can blame Akamai for doing it wrong, but you have to blame the DNI (and Oracle) for using a service that does it wrong.
Want to bet that the people in charge at each site have permanently added the exception for that cert on their respective domains and now don't even know it is still messed up?
(Score: 4, Funny) by clone141166 on Saturday July 26 2014, @06:06AM
If it's true, it's pretty funny that the Daily Mail was publishing made-up tabloid rubbish even in 1906 that lead to the creation of MI5.
"Northcliffe loved it - but the Mail's circulation department said that many of the towns on Le Queux's invasion route didn't have many actual or potential Daily Mail readers in them.
So Lord Northcliffe changed the route of the invasion to make sure that all the towns that were sacked and pillaged had lots of Daily Mail readers."
Nice to see that The Daily Mail has a proud history of being utterly and completely wrong.
(Score: 0) by Anonymous Coward on Saturday July 26 2014, @08:02AM
The history of all intelligence organizations, (which the possible exception of the Russians) is that the spy novels precede (that means "comes before, for those of you with an American education) the actual spy agencies.
(Score: 1) by Horse With Stripes on Saturday July 26 2014, @08:23AM
Why are two of the links in the summary pointing to the same twitter post? Could it be that someone made a mistake, or is someone applying for a job with the office of the DNI? ;-)
(Score: 1) by martyb on Saturday July 26 2014, @01:11PM
The original submitter had the duplicated link in their original submission, but corrected it in a resubmission. When merging stories, I failed to replace the duplicated link with the link to the DNI website.
That will teach me to be doubly careful when posting stories at 1:00 AM.
And, to try and keep this post on-topic, I found the first link in the story: http://www.bbc.co.uk/blogs/adamcurtis/posts/BUGGER [bbc.co.uk] to be a scathing history of MI5. Who knows what lies in the skeleton closet of other country's spy agencies?
Then again, having spent many years in software development and test, rarely does one's first efforts come out right. There's a lot of trying and tossing until one finds the things that work.
Wit is intellect, dancing.
(Score: 1) by Horse With Stripes on Saturday July 26 2014, @03:43PM
"scathing history of MI5"? You're being rather polite ;-) An agency started by lies, built on lies and still generating lies? It doesn't get more "government" than that.
(Score: 5, Informative) by Leebert on Saturday July 26 2014, @11:34AM
That actually happened to us when my government agency migrated to a different "cloud" provider for our main website. We don't use SSL, but the folks who run the cloud instance overlooked it and didn't disable it. So we had the CDN's certificate, which is exactly the case here. It's embarrassing, but not exactly the end of the world since no valid link on the site should point to it. Wasn't a big deal; we just sent an e-mail to the operations team and asked them to fix it however they saw fit. I was happy to see that their choice was to generate a valid certificate rather than disable SSL.
The IRS still has the problem: https://www.irs.gov/ [irs.gov]
Anyway, the point being that the ODNI probably didn't even *intend* to have SSL enabled. It seems to be a common mistake, but it isn't exactly "Oh noes! Their site is insecure!".