
US Government Sites Give Bad Security Advice - feross
https://krebsonsecurity.com/2020/03/us-government-sites-give-bad-security-advice/
======
Cpoll
I was going to reply to guacamole4's comment, which is unfortunately [dead]
now. I think it's useful to talk about.

> Author then claims that just about anybody can get .gov domain which is
> untrue.

It didn't take much Googling to find Krebs stating that it's pretty easy:
[https://krebsonsecurity.com/2019/11/its-way-too-easy-to-
get-...](https://krebsonsecurity.com/2019/11/its-way-too-easy-to-get-a-gov-
domain-name/)

Even without an article, it seems obvious to me that a criminal setting up a
phishing site wouldn't be deterred by a bit more wire fraud to obtain a .gov.

~~~
ENOTTY
After Brian Krebs' reporting, the GSA just announced a new process to get a
.gov domain. [https://krebsonsecurity.com/2020/03/u-s-govt-makes-it-
harder...](https://krebsonsecurity.com/2020/03/u-s-govt-makes-it-harder-to-
get-gov-domains/)

~~~
Cpoll
> But I’m left to wonder: If I’m a bad guy who’s willing to forge someone’s
> signature and letterhead in a fraudulent application for a .gov domain, why
> wouldn’t I also be willing to fake a notarization?

It's probably not enough.

I think just by the nature of .gov domains, it's going to be very difficult to
properly secure them. Even if registration is airtight, an attacker can still
use other vectors: \- XSS vuln on a legit .gov page to inject their own
content \- Open redirect vuln to redirect a legit .gov link to their page \-
Break a .gov server. I'm sure at least one of them is running a WordPress site
with a vulnerable plugin \- Break into or social engineer into the DNS server

------
Rebelgecko
What else is new? I can't find a source right now, but IIRC NIST doesn't even
follow their own password guidelines. This seems like a relatively minor flub
in comparison. If the verbiage was tweaked a bit to say something like "the
https ensures that you're actually connected to the website whose name shows
up in your address bar" I think there'd be nothing to complain about.

~~~
blakesterz
To be fair to them, how the hell do you possibly explain what that means to
people who don't know or care how any of these things work? How do you explain
TLS and DNS and HTTP and web servers and all this stuff in less than an hour
in a way that makes any sense to someone that doesn't care about technology
and just wants this stuff to work?

~~~
rtisdale
You're in a perfectly soundproof room with one other person.

Whatever you talk about with this person can't be heard by anyone outside the
room.

This room can only help guarantee that no one outside can hear you, not that
the person you're talking to is trustworthy.

If the other person is a thief and you tell them where your valuables are,
they could be stolen.

If the other person is trustworthy, you can be sure no one else will hear what
you tell them and your secrets are safe.

The soundproof room is HTTPS. The other person is a server.

You could tell someone something like this and provide a lay person with a
basic understanding of many fundamental building blocks of the web rather
quickly (DNS can be explained as a phone book for example).

------
netsharc
#1 is also very weak. "'.gov' means it's official".

Somehow who doesn't know what's going on will interpret that as "if this
substring appears anywhere, it's safe".

So, the hijacker just needs to create a URL like "https: //
united.stat.es/census2020.gov/yourcensus" and fool a loooot of people.

------
olliej
I mean the us gov also continuously tries to legislate mandatory weak
security.

------
guacamole4
The note says:

1) .gov means the site is official

2) [https://](https://) means it's secure

Author takes #2 out of context provided by #1 and argues that
[https://](https://) doesn't necessarily mean it's secure because it could be
phishing. However the point is that it's secure if it's both .gov and
[https://](https://)

Author then claims that just about anybody can get .gov domain which is
untrue.

~~~
basch
I agree. A simple plus sign, to signify both are necessary for the conclusion
to be drawn, would fix the message.

However, as long as URLs read both right to left, and left to right, in the
same string, its very hard to communicate to standard people what the "end" is
[https://example.com./.gov](https://example.com./.gov) ends in .gov, and the
percentage of people that dont know a - is not a delimiter but / is and .
sometimes is is high.

