
United States wants HTTPS for all government sites, all the time - el_duderino
https://nakedsecurity.sophos.com/2020/06/23/united-states-wants-https-for-all-government-sites-all-the-time/
======
aequitas
Shameless plug: our team developed an open-source tool that helps
organisations visualize security issues (like missing https) on a map so it is
easy relatable for citizens (and government employees) if for example their
municipality is doing a bad job and helps those citizens (and goverment
organizations) improve their security.

It's free and easy to setup for your own country if you're interested:
[https://websecuritymap.org/](https://websecuritymap.org/)

Example of the site running for the Netherlands:
[https://basisbeveiliging.nl/](https://basisbeveiliging.nl/)

~~~
rapnie
Thanks, looks interesting.

PS. The .org site does not look well on FF/Android (texts clipped, etc.)

~~~
aequitas
Thanks for the feedback, it's noted: [https://gitlab.com/internet-cleanup-
foundation/web-security-...](https://gitlab.com/internet-cleanup-
foundation/web-security-map/-/issues/254)

------
eddietejeda
Hi, I work on infrastructure in the federal government.

Here's my take: the title is unclear. The federal government has required
https for a while.

Learn more here: [https://https.cio.gov/](https://https.cio.gov/)

OMB wrote a memo requiring https in 2015:
[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/me...](https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2015/m-15-13.pdf)

If you see the "announcement" linked in the article, you'll notice that it's
referencing this page: [https://home.dotgov.gov/](https://home.dotgov.gov/),
which is about the HSTS preload list.

------
pbhjpbhj
How could they not have https, is that by decision, or by incompetence, or...?

~~~
HenryKissinger
Every change has to go through months, or years, of review, and be approved by
50 different people.

I take it you've never worked for the government, have you?

~~~
hirundo
Only until around April 16th.

[https://en.wikipedia.org/wiki/Tax_Freedom_Day](https://en.wikipedia.org/wiki/Tax_Freedom_Day)

~~~
cosmojg
Huh! TIL! Is that why US federal taxes are typically due on April 15th? Or is
it a coincidence?

~~~
0xffff2
Seems unrelated since the exact date has bounced around both before and after
the 15th over the last 60 years.

------
kevingadd
Gonna be unfortunate when they find out they've made HTTPS illegal indirectly
by banning encryption!

It really is amazing to see how often one part of the government will actively
sabotage the goals of other agencies.

~~~
LinuxBender
I don't believe they are making encryption illegal. Rather, they would likely
require any org doing TLS for them to provide lawful intercept, logging, audit
and compliance. If a government org is managing their own network stack, then
requiring TLS would be a non issue as they can provide their audit orgs with
all the data they want, as they likely do today. From all the bills I have
read, there is nothing that makes encryption illegal. They want the ability to
access data from the servers after it has been decrypted. This includes a way
to intercept what users perceive to be end-to-end encryption.

The only problem I have run into with various government orgs is the lack of
knowledge around implementing intermediate certificates. They will often try
to talk people into installing their certs rather than installing intermediate
certs correctly. I always point them to testssl.sh [1]

[1] -
[https://github.com/drwetter/testssl.sh](https://github.com/drwetter/testssl.sh)

~~~
rezonant
What? No, GP is talking about EARN IT et al which would mandate backdoors in
encryption tech

~~~
klyrs
If the government holds the private keys, don't they have that backdoor access
to their own https traffic?

~~~
rezonant
Who watches the watchers?

------
robador
This reads like an article of 5 years ago... Did time stand still?

~~~
cryptoz
In the US Government, for almost all of the last 5 years, there has been a
concerted effort to move backwards, not to stand still or move forwards.

~~~
bigbob2
Just 5 years?

~~~
pphysch
Okay, 50 years.

------
tcberry
I would love it if DoD/VA sites would stop using wonky certificate settings
all the time.

~~~
boris-ning-usds
Hi, this is Boris Ning from United States Digital Service.

Can you go into specifics of the "wonky certificate settings"? I can probably
help you out with that or at least bring it to the attention of the team here
at VA.

~~~
Donald
They're likely referring to different parts of the federal government
maintaining separate PKI. For example, the DoD has separate certificate
structure ([https://public.cyber.mil/pki-pke/](https://public.cyber.mil/pki-
pke/)) and these certificates aren't commonly pre-installed on platforms used
by US citizens.

~~~
boris-ning-usds
Ah, understood.

Most federal agencies have their own internal PKI systems, and DoD is probably
more unique than others because the infrastructure is bigger, older, and has
different regulations governing them.

Most civilian agencies such as VA aside from DoD - should utilize public PKI /
public CA for their certificates.

~~~
tcberry
I don't know if calling out the VA specifically is particularly fair on my
part – it's possible my issue has been solely when attempting to access DoD
sites secured by DoD certificates. Does any other government org in-house
their certificates for internal sites in this way that is completely divorced
from other root authorities?

~~~
boris-ning-usds
Feedback and comments are always welcome, at least I welcome them :D.

I can't speak for all government agencies, but generally there is an internal
CA for hosting internal sites. I remember reading a comment from the Federal
PKI guide that these sorts of infrastructure goes back to before 2004.

"Prior to 2004, some agencies had already deployed and invested in their own
PKI and CAs. Some of these agencies opted out of migrating to the SSP Program
and continued to manage their existing infrastructures. These Federal Agencies
Legacy operate one or more CAs that are cross-certified with a Federal PKI
Trust Infrastructure CA." \-
[https://fpki.idmanagement.gov/ca/](https://fpki.idmanagement.gov/ca/)

Here's a very short list of public CA certificates from Treasury and it lists
out public key certificate for many other agencies as well. \-
[https://pki.treas.gov/crl_certs.htm](https://pki.treas.gov/crl_certs.htm)

------
clairity
even better would be to kick google (and microsoft to a lesser extent) out of
any and all government services, including gmail, analytics, captcha, android,
forms, js, fonts, apis, storage, etc. it maddens me to have to turn over
sensitive data to google to get government services nowadays. they've crept
into every dark corner and crevice of government.

the governments we have are already wanting to surveil us plenty, we don't
need a shadow entity doing it too.

~~~
cheschire
So you're advocating for the government to build these tools in-house then?

~~~
austincheney
Government and the military should absolutely be encouraged to write their own
in house tools. That would dramatically improve quality of service and
simultaneously reduced government expenses.

~~~
0xffff2
> That would dramatically improve quality of service...

I find this doubtful.

> ... and simultaneously reduced government expenses.

I find this almost tautologically impossible. By and large the government (my
corner of it anyway) doesn't pay extra for licenses to commercial software.
The idea that we could somehow find and hire enough developers to rewrite the
entire Microsoft ecosystem, and somehow do it for less than it costs us to pay
for Office 365 every year, requires some serious justification.

~~~
austincheney
Why would an internal software team rewrite MS Word?

~~~
0xffff2
Maybe I misunderstood. What tools do you think the government should be
building in house? If MS Word isn't something you're advocating that we
rewrite in house, then I don't understand what you're advocating that we don't
already do.

~~~
austincheney
Original software to solve problems unique to a given government office
instead of relying on the contract bidding process.

For example I work at a bank that does not sell software and yet the bank has
thousands of software developers.

~~~
0xffff2
So does the Federal government. Hell, my tiny little corner of the Federal
government employs thousands of software developers all on its own.

------
annoyingnoob
> United States wants HTTPS for all government sites, all the time

But they want to backdoor the encryption so that foreign governments can spy
on those encrypted connections. Genius.

~~~
thephyber
To be fair, not all of the United States government wants to be on HTTPS (all
that quickly) and not all of the government wants to backdoor encryption. I
think it's important to point out that some of the US Government has a more
tempered approach to the issue.

The NSA tends to ignore the domestic quibbles about encryption because they
tend to have much more flexibility in how they work around encryption hurdles.
The DOJ and local police departments scream bloody murder about encryption
everytime there is one phone they can't access and a few congress Critters use
that call as a political wedge issue.

~~~
annoyingnoob
Proponents of backdoors are beating the drum louder, harder, and more often as
time goes on. They are playing the long game. It seriously concerns me that
morons want to take us in the wrong direction.

------
Fiveplus
Relevant story from 2 days ago. Direct Link:
[https://home.dotgov.gov/management/preloading/dotgovhttps/](https://home.dotgov.gov/management/preloading/dotgovhttps/)

Posted here:
[https://news.ycombinator.com/item?id=23609538](https://news.ycombinator.com/item?id=23609538)

~~~
jlgaddis
... with zero discussion.

------
fhqghds
as someone who works on such things at a .gov, this has been in the works for
years, and will likely remain in the works for years

the level of push back against it is absolutely epic.

the .gov I work on has even been considering moving most services off of .gov
to another tld (such as .us) in order to avoid having to comply...

~~~
KeepFlying
What is the reasoning for the pushback? Can you talk about some of the reasons
they give for that?

~~~
fhqghds
short answer: massive amounts of inertia

long answer: there are a lot of reasons...

one is that our network is obscenely open and used in weird ways.

public ips handed out to all the things via dhcp. dynamic hostnames (generated
from the dhcp request) on a subdomain of our .gov for all the things.
similarly static ips and top level dns records on our .gov are passed out like
candy.

the border is heavily firewalled, and all networks are heavily sniffed and
monitored, but everyone has a public ip with a .gov hostname. the network
users consist of thousands of academics and scientists who use the network in
fun an interesting ways, frequently without tls.

changing this culture is likely way more difficult than making config changes
on bind and dhcpd

I've slowly learned to stop asking, and just try to keep my sobbing down
during calls

------
stx
I expect to see more government sites for which https is on but the cert is
expired or does not validate.

------
gentleman11
Which is it - HTTPS for for everything, or ban it? Or is it that they think
only they should be able to use it?
[https://news.ycombinator.com/item?id=23636487](https://news.ycombinator.com/item?id=23636487)

~~~
happythomist
There's a pretty significant difference between "no HTTPS" and "mandatory
decryption for consumer electronic devices with a warrant", even if the latter
is still a bad policy.

~~~
gentleman11
The author of the article (in the hn story) I linked claims that the
legislation in question bans https

~~~
happythomist
I don't see where the author makes that claim. Mandatory decryption of HTTPS
traffic is not a ban on HTTPS.

