The White House Office of Management and Budget (OMB) has issued a directive that requires all publicly accessible federal Web sites to adopt HTTPS:
An HTTPS-Only standard will eliminate inconsistent, subjective determinations across agencies regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide. Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and may reduce their confidence· in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position the Federal Government as a leader in Internet security.
United States Chief Information Officer Tony Scott adds:
Per the issuance of this Memorandum, all publicly accessible Federal websites must meet the HTTPS-Only Standard by December 31st of 2016.
OMB first proposed the HTTPS-Only Standard in March and requested comment from the public. During the feedback period, OMB's proposal received numerous comments and suggestions from Internet's standards bodies, popular web browsers, and concerned citizens. To assist with the conversion to HTTPS, technical assistance and best-practices for migration are available at https://https.cio.gov – a site that is open to contribution from technical experts around the world. Finally, a public dashboard has been constructed to monitor progress.
Original Submission
(Score: 4, Funny) by Gravis on Wednesday June 10 2015, @07:14AM
This leaves Americans vulnerable to known threats, and may reduce their confidence in their government.
which is ironic because the government itself has became a known threat.
(Score: 0) by Anonymous Coward on Wednesday June 10 2015, @07:21AM
They are so confident in their ability to crack SSL, even going forwards, that they want to encourage us to switch to SSL?
(Score: 2, Insightful) by Anonymous Coward on Wednesday June 10 2015, @07:36AM
This is about government servers. The government has already full control of government servers. Moreover, they already have the original SSL private key (it's their key, after all); there is no need to crack it. They don't want others to interfere with the communication to government servers.
(Score: 3, Insightful) by Anonymous Coward on Wednesday June 10 2015, @07:49AM
Thinking more about it, it could actually help the government to crack other SSL connections, using an apparently innocent extra step (I didn't check if that step is planned or even already executed): For maximal security, the government of course doesn't want to rely on a commercial certification agency. Instead it generates its own root certificate, which then is included in all browsers. A reasonable step for more security, right?
Well, root certificates are not bound to a specific domain. They can be used to sign certificates for any domain. And the user checks a certificate by checking who signed it, and if it finds that it was signed by a trusted certificate, it assumes the web site certificate is to be trusted as well. There's no inherent mapping between domains and corresponding root certificates.
Now with the government root certificate being trusted by every browser, the government could simply do a MITM on any SSL protected site by just signing the certificate of their replacement site with the government root key. The browser will find that the certificate which the web site offered is signed by a trusted root certificate (the government's), and thus that the connection is to be trusted.
(Score: 3, Interesting) by NCommander on Wednesday June 10 2015, @09:19AM
I believe the United States already has at least one CA in the root store. I know for a fact that the Hong Kong Post Office has/had a CA in Mozilla's store, so I'd be truly flabbergasted if this wasn't already the case. Worst case scenario, you can literially buy a CA certificate for $50k from GlobalSign (intermediate certificate that allows for signing whatever you'd like).
Still always moving
(Score: 5, Interesting) by Leebert on Wednesday June 10 2015, @12:22PM
You assume that the US federal government is all of one mind. Working in non-DOD government infosec, I can assure you that there is a substantial contingent of infosec professionals who are dedicated to privacy, and find the NSA activities distasteful. If, for example, you think that what NSA did to NIST didn't piss off NIST [nist.gov] (PDF), you've not spent much time around NIST. Choice quote from that report:
This OMB mandate may or may not be a response to the ongoing NSA controversy. Frankly, I think it's more just folks in the Executive Office of the President trying to get a handle on rampant security problems in federal information systems. But it could also be a contingent of folks in just the right position to advance the cause of privacy doing their part to nudge things along.
(Score: 1, Interesting) by Anonymous Coward on Wednesday June 10 2015, @07:39AM
...will be the NSA black boxes installed at Verizon, Microsoft and all other existing CA's "trusted" by browsers
(Score: 2) by c0lo on Wednesday June 10 2015, @01:28PM
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 1, Interesting) by Anonymous Coward on Wednesday June 10 2015, @01:53PM
It's not so much the NSA (or FBI, DEA, etc) but organized hacker groups that would be prevented from harvesting account names and passwords, and consumer form data. And it provides a measure of defense against DNS hacking and site spoofing - assuming that someone will notice that "whitehouse.gov" isn't showing up as https: in the URL bar.
No single step solves all problems (nor would they necessarily want to, but that's a different topic).
(Score: 2) by c0lo on Wednesday June 10 2015, @08:46PM
Al true, as also true is the fact that https is not about privacy. And I see as a dangerous move having it promoted as such, especially when the promotion comes from government and even more from a government which blessed snooping.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2) by MichaelDavidCrawford on Wednesday June 10 2015, @05:40PM
... so that visitors will have no choice but to use encryption, but before I do, I want to know:
Is there any country in the world, in which it is illegal to use SSL encrytion? Would someone violate the law by visiting my site, or alternatively would they violate the law simply by possessing a browser that supported SSL?
I once read that it is a criminal offense, subject to court martial, for US military personnel to use any form of encryption other than that provided by the military for their work. Otherwise there would be the obvious problem of spies letting our enemies know that we plan to attack at dawn.
But if that's still the case, so much as checking your bank balance would land you in Leavenworth.
Yes I Have No Bananas. [gofundme.com]
(Score: 4, Informative) by NCommander on Wednesday June 10 2015, @06:34PM
I don't think its explicatively illegal anywhere except maybe North Korea. That being said, the CA system pretty much inherently broken, as long as a nation-state has a certificate in the root or can pressure a company w/ a intermediate certicate in the chain, your hosed. HSTS and HPKP can protect you *after* first connection but beyond that, you're basically fucked. I lived in China, and as long as the entire site wasn't blacklisted, SSL worked just fine through the great firewall as did SSH.
Still always moving