From PC World:
More than two dozen U.S. government websites should be urgently upgraded to use encryption, as whistleblowers are potentially at risk, according to the American Civil Liberties Union.
At least 29 websites that can be used for reporting abuse and fraud don't use encryption, the ACLU said in a letter sent on Tuesday to the U.S.'s top technology chief, CIO Tony Scott.
There has been a broad push recently to move websites to using SSL/TLS (secure sockets layer/transport security layer) encryption. Most e-commerce sites use SSL/TLS, but the case has grown stronger for its broader adoption because of a surge in state-sponsored espionage and cybercriminal activity.
The government plans to upgrade all of its websites within two years to use encryption, signified by "https" in a browser's URL bar. It prevents data that is exchanged between a computer and a website from being read if it is intercepted or tampered with during a man-in-the-middle attack.
The ACLU said that the timeline "is not soon enough for some sensitive sites," which it said included the Justice Department, Treasury Department and the Department of Homeland Security.
(Score: 2, Informative) by Anonymous Coward on Sunday April 19 2015, @01:57AM
As long as the current fucked-beyond-belief CA system is in place, we can't consider HTTPS to be any more secure than HTTP. That's actually worse than it sounds, because it gives people a false sense of security. They see URLs starting with https:// and think that they're secure, without realizing the numerous ways in which these allegedly "secure" communications can be compromised. Some people will wrongly claim that this is still better than no encryption because it makes it harder for interceptors to filter out encrypted-and-sensitive info from encrypted-but-unsensitive info, but that's just a canard. Any interceptor with even the most minor of capabilities will be able to store all of the data, and analyze it automatically at some later date. Face it, SSL and TLS in their present form are scary to anyone who knows anything about security. We just can't have a secure system with CAs as they currently are.
(Score: 1, Informative) by Anonymous Coward on Sunday April 19 2015, @02:34AM
we can't consider HTTPS to be any more secure than HTTP.
It depends on what you're using it for and expecting. Safe from some government agency with a near-unlimited budget? Maybe not. But it provides some security against small attackers.
That's not to say the CA system isn't fucked, however.
(Score: 0) by Anonymous Coward on Sunday April 19 2015, @08:24AM
Small attackers, as a rule, don't have access to the resources needed to sniff your traffic anyway.
Trojans and spyware are bigger threats to typical end-users than HTTP interception by the small-timers.
Wake me when someone gets Firefox and the other browsers to play nice with self-signed HTTPS certificates so we can finally start the worthwhile fight to get end-users familiar with certificate-pinning addons and decentralized webs-of-trust.
(Score: 2) by maxwell demon on Sunday April 19 2015, @10:53AM
In the times of — often unencrypted — public wireless networks, snooping on traffic of someone without technical knowledge is easy.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Sunday April 19 2015, @02:47AM
Based on the summary, it seems that "whistleblowers" here refers to people reporting TO the government, not ON the government. Think Enron, not Snowden. In which case HTTPS/SSL/TLS/etc. would offer at least some protection against a business from seeing what data was being sent to the regulatory agencies.
(Score: 3, Insightful) by Grishnakh on Sunday April 19 2015, @03:42AM
I'm no security expert, but I seem to remember reading that it's commonplace for companies to have a system in place so they can readily decrypt all HTTPS traffic that originates in their internal network.
(Score: 1, Insightful) by Anonymous Coward on Sunday April 19 2015, @07:29AM
If, as a whistleblower, you will leak information directly from the network housing the material you leak, then you'll be caught anyway, regardless of HTTPS status. Heck, you may as well e-mail the thing to your personal e-mail account and leave traces that way.
First step is always to separate the material and sanitize it. Then move to a cleanskin location which you can 'burn' and leak from there.
(Score: 2) by kaszz on Sunday April 19 2015, @09:34AM
That means the corporation you are at has added THEIR self-signed CA to your browsers list of approved CAs. And then added a proxy mode setup unless they have on the fly TCP replacement. So use USB, download your own browser from a secure source, rewire the network cable, etc.
Memo: Always sanitize the list of approved CAs in your browser.
(Score: 2) by maxwell demon on Sunday April 19 2015, @10:46AM
Is there a particular reason to send it over the company's network instead of simply transporting it outside and send it from there? Especially in the times of BYOD you should have all the necessary means to do that.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Grishnakh on Monday April 20 2015, @02:37PM
Not every company is BYOD, in fact I've never seen that myself anywhere.
Doing internet stuff on a cellphone is a PITA; it's a lot easier to use a real computer. The only computer people usually have at work is the work-owned computer. If it's a laptop, it might be possible to use it with your cellphone and avoid going through the company network, but now you're using your your cellular data allotment, and getting slower speed, plus it's a PITA to switch back and forth.
(Score: 2) by maxwell demon on Monday April 20 2015, @06:01PM
If I had the choice between inconvenient and dangerous, I'd choose inconvenient any day,
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Insightful) by Leebert on Sunday April 19 2015, @03:39AM
*snort* Yeah, two years. We'll get right on that. Just as soon as we're finished with that mandate for all public network services to be IPv6-enabled by September 2012 [whitehouse.gov].
(Score: 2) by maxwell demon on Sunday April 19 2015, @10:58AM
I see, you're not yet used to four-digit abbreviated dates. You know, people figured out that while giving only the last two digits of a year can cause problems every century, using four digits will not give any problems until the year 10000. So they decided that four-digit years are safe for now. Unfortunately that means that really long-term plans got truncated dates. In particular, the IPv6 project is scheduled to be finished in September 32012.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Interesting) by frojack on Sunday April 19 2015, @03:48AM
You are handing your complaint to the GOVERNMENT for pete sake. I'm not sure it matters if its encrypted or not since the information you are reporting is being placed in the governments own hands. They don't need a warrant to get it, you gave it to them.
Any presumption of separation between the department you are Wistleblowing to and the offending department is merely a figment of your imagination.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Sunday April 19 2015, @07:33AM
But in the time it takes the gov to get its act together, the organization you leak about may do nasty things to you and destroy your life in the process...
(Score: 0) by Anonymous Coward on Sunday April 19 2015, @08:26AM
You make the assumption that "the gov" was going to do anything constructive about the problem anyway.
Remember Ed Snowden? He chose to take and leak documentation because the official "the gov" channels weren't interested in fixing what was broken.