

This connection is untrusted - chrisdotcode
https://www.whitehouse.gov/

======
techjuice
The site is being served over Akamai and the certificate for
www.whitehouse.gov is being served by Akamai but appears the certificate does
not have www.whitehouse.gov for the issued domains. Secure actions are
redirected to petitions.whitehouse.gov.

It may also be possible that they have setup the frontend of the site to only
serve the SSL site from certain IPs (Example from authorized site
administrator networks, VPN, etc.) if the IP is not authorized redirect to
http which would disable the ability for anyone to login that should not be
able to login and/or require PIV certs from authorized IPs. So if you are not
hitting the site from an authorized IP you can never login and if you do not
have a PIV cert you can never login.

By taking a quick look around, the site is powered by Drupal, the CSS and
JavaScript are compressed but the entire site(s) are served behind Akamai for
the internet. It may be possible they are serving out statically compiled
pages over Akamai that the internet can get to and the dynamic site might only
be accessible internally, which is a good practice for large sites.

Also note if you find any weird issues you should be able to call or email the
General Services Administration (GSA) who manages the .gov domains registry -
[https://www.dotgov.gov/portal/web/dotgov/whois](https://www.dotgov.gov/portal/web/dotgov/whois)
if that fails or it is a security issue you can contact US-CERT -
[http://www.dhs.gov/report-incidents#2](http://www.dhs.gov/report-incidents#2)
/ [https://www.us-cert.gov/](https://www.us-cert.gov/) which is apart of the
Department of Homeland security which appear to be responsible for protecting
the networks of the .gov domains or centralizing the reports of security
issues for the .gov domains.

------
getdavidhiggins
Do users have to submit anything sensitive on this site? Are there any forms
where sensitive information could be plaintexted across the wire? I would love
to know.

If it's purely static HTML files, then I see no point in switching to HTTPS
just because it's the trendy, hip thing to do. Perhaps 'switching on SSL' for
the sake of it is counter-productive and not needed in every case.

I can see the panic here because it's a .GOV site, but can we confirm this is
just static HTML?

------
cottonseed
I ran HTTP Nowhere for a while. I don't know what I was supposed to expect,
but I was rather shocked by the number of expired and invalid HTTPS
certificates. Akamai serving secure sites was a pretty common failure mode.

