
An Introduction to HTTPS, by 18F and DigitalGov University - konklone
https://18f.gsa.gov/2015/07/16/introduction-to-https-webinar/
======
ianstallings
This is the first time I've heard about 18f and I really think the model will
work. It's a familiar system to agencies, using the consulting model, yet you
guys work directly for the GSA.

I worked as a government contractor for quite a while (SAIC) and I applaud
this effort. I imagine the hurdles will be immense, so I wish you the best. We
need more of this.

------
konklone
Full disclosure: I'm the submitter and the creator of these videos. Happy to
answer questions or take feedback for future educational work we could be
doing.

~~~
russell_h
Really curious if you can speak to any internal politics around advocating for
encrypting more communications while much of the executive branch is
advocating against that.

Is 18F sufficiently independent, or this project sufficiently below the radar
that it just isn't an issue?

~~~
dangerlibrary
Entirely different worlds.

People think "The Federal Government" is a monolith, and they could not be
more mistaken. It is a collection of individual entities, operating largely
independently and often at odds with one another. 18F is a different entity
with a different set of goals from the law enforcement (FBI/DEA/etc.) and
intelligence (NSA/CIA/GeoInt) agencies.

In any case, it's also different parts of the tech stack - encrypting
everything over the wire with HTTPS is fine so long as the underlying
encryption is weak and/or the NSA have a set of keys. The FBI can always just
issue a national security letter to the party with whom you are communicating.

~~~
konklone
> People think "The Federal Government" is a monolith, and they could not be
> more mistaken. It is a collection of individual entities, operating largely
> independently and often at odds with one another.

That's definitely an accurate description of the US federal government.

------
lurker2015
Haven't had a chance to look at the content itself yet, but do you cover FIPS
at all? Our company is wanting to sell product to the U.S. Federal govt and it
turns out we need to improve our TLS (data-in-transport) implementation to use
FIPS-validated crypto providers. It'd be nice to understand why simply using
strong TLS v1.2 cipher suites is not enough and we need to also plugin a
special crypto provider.

~~~
KMag
The reason for requiring a FIPS-validated crypto provider is that means the
crypto provider been audited by a vetted auditor. In order to carry sensitive
information, the crypto needs to be audited by a vetted auditor. "The CIO's
nephew totally coded up the crypto last Summer, just trust us that it's good"
doesn't cut it when handling sensitive government data. In particular, it
means that random values are generated by a FIPS-certified generator, not just
srandom(time()^getpid()); int x = random(); int y = random(); int z =
random(); The government needs some kind of auditing standard and practice for
systems that handle sensitive information. FIPS is far from perfect, but it
gives a good lower bound on what the government is buying.

~~~
mieko
FIPS is bureaucratic government red tape, and nothing else. It gives the "US
Department of Whatever" and their contractors someone to blame when there's a
fuck up.

No one respected in cryptography that I've met, or read papers from, would
stand behind it as a seal that'd mean anything in actual security (please,
_someone_ , prove me wrong: I want to see SOME light in this tunnel). There
are private entities with much more sensitive information than the U.S.
Government, and the ones that take it seriously easily surpass FIPS (in
purpose, not paper) with good engineering, because they can't hide behind a
rubber stamp.

Not too long ago, I was on a team that was required to keep a FIPS-certified
(FIPS 140-2) binary blob in production for months while there were known
exploits against it. If you _actually_ care about keeping amateur algorithms
and implementations out of sensitive situations (vs. "Proving You Care via
Paperwork"), you'd do better to follow Google or Facebook's security blogs
than FIPS, because they react faster.

