
US Senate website says use HTTP instead of HTTPS - kurttheviking
https://www.senate.gov/
======
raimille1
Excuse the ignorance, but what's the problem if it's purely an informational
read only site? There's no logins, prompts, messaging that can be exploited.
What's the problem of it being unencrypted?

Don't get me wrong I'm all for https when there's user information to be
protected back and forth, I just don't see the applicability for it here.

~~~
ketralnis
Theoretical, but:

1\. MITM to return fraudulent data ("click here to input your personal data to
collect your government cheque from this new federal grant!")

2\. Recording browsing activity ("gee Mr. Smith, you sure do spend a lot of
time looking up laws about X. Seems like a good thing to blackmail you about")

Working those into actual problems is an exercise for the reader, but they're
mostly what https is for

There is also the benefit that HTTPS is harder to mass-surveil, and harder for
your ISP to play shenanigans like injecting their adverts and tracking headers
into the page ([https://www.eff.org/deeplinks/2014/11/verizon-x-
uidh](https://www.eff.org/deeplinks/2014/11/verizon-x-uidh))

~~~
Puts
> Recording browsing activity

Yes, let's protect users visiting public available information from all the
malicious eavesdroppers, while still posting all page requests to Google
analytics...

~~~
boomlinde
While protecting visitors' information from malicious eavesdroppers doesn't
change the fact that the site they are visiting may willingly be sending such
data to a third party, it does prevent malicious eavesdroppers.

There are several levels of trust involved. HTTPS goes a great length to
ensure that the link between the client and the server is not compromised.
That the service may be malicious itself or unconcerned with privacy is a
different problem that you have to solve in some other way. That doesn't make
secure connections any less of a problem.

------
demarq
I also noticed it seems blocked from access outside the US...

so what would happen if a traveling american wants to access it?

edit: FYI I'm trying from Kenya. edit2: Using my phone I'm able to switch
between wifi, and mobile and on mobile it is unblocked. hmmm

Also for those who don't see the Access Denied page but are curious, here is
what it reads in full.

\--------------------

Access Denied

You don't have permission to access
"[http://serve-403-www.senate.gov/"](http://serve-403-www.senate.gov/") on
this server. Reference #xx.xxxxxxxx.xxxxxxxxxx.xxxxxxxx

\---------------------

It seems it has little to do with geography. It's an IP thing.

~~~
joantune
Portugal, no probs, are you confusing 'blocked' with the stupid message
redirecting to http?

Which country are you in? now i'm curious? China?!

~~~
demarq
nope, "ACCESS DENIED"

and also I accessed the site from the US (tunnel ;-) and it was unblocked, and
then I saw the redirect to http.

~~~
joantune
Sorry, most likely I edited my comment after u replied. Which country are u
in?

~~~
demarq
Kenya

------
logicallee
How strange, I changed it to http as asked. For me it then asked for my social
security number to login and then I needed to confirm some of my banking
information for the IRS. I'd expect that to be information you'd want to
protect!! I actually double checked to make sure I wasn't on a phising site
but I was safe: "senate.gov" why did they need my banking information? Oh
well.

The above is fiction, but an easy scenario under HTTP. Any AP (wifi access
point, like at a cafe) can do it...

~~~
blowski
Also, oh the Senate is telling me I have to install this software to view the
website. Well it is the US Senate, so I guess I'll click OK.

~~~
labster
It's probably Dianne Feinstein spyware installer. Don't worry, they'll only
look at your data for important reasons.

------
jrapdx3
Attempted to write to one of my senators. To do so online requires using the
web form on the senator's "contact" page. It says only messages from the
senator's constituents will be accepted, so it's necessary for the author to
share some identifying info.

I don't know how much checking is done to assure the writer really is a
constituent, probably there's some lookup of street addresses, zip codes, etc.

Main point is that the senator's contact page does use https. This is
appropriate given that personal info is shared per the contact form. I don't
think any other senate pages accept input, so maybe their reasoning is that
http vs. https is less critical on other parts of the site.

~~~
ohitsdom
Understood, but the contact link could be maliciously changed through a MITM
attack (which would be prevented if the whole domain was accessible through
HTTPS).

------
RijilV
Weird, they're hosted on Akamai. Even weirder, it doesn't appear that
www.senate.gov supports IPv6.

~~~
killbrad
What's weird about them not supporting ipv6?

~~~
RijilV
Well, briefly - the General Service Administration declared "By September 30,
2014, agencies needed to update their public networks to Internet Protocol
Version 6 (IPv6)"

There is an exception process, but Akamai already supports IPv6 (though they
do charge extra for it, booo!). You'd like to think something as high
visibility (PR, not web traffic) as senate.gov would comply with the GSA.

[http://gsablogs.gsa.gov/technology/2014/01/02/1128/](http://gsablogs.gsa.gov/technology/2014/01/02/1128/)

~~~
labster
The US Senate is not an agency. They are a branch of Congress, and therefore
definitely not required to do anything a executive agency tells them to do --
especially if it's reasonable like implementing HTTPS.

~~~
konklone
Yes, the IPv6 is a White House (not GSA) mandate, like
[https://https.cio.gov](https://https.cio.gov). It doesn't apply to the
legislative or judicial branches, and in that blog post, GSA is advertising
the services it can offer other agencies to help them achieve IPv6 compliance.

------
zeckalpha
See also: [https://https.cio.gov/](https://https.cio.gov/)

I suspect they haven't caught up with the mandate.

~~~
konklone
As a White House memorandum, that mandate only applies to the executive
branch.

Though the GSA's HTTPS adoption dashboard does include legislative branch
domains, including senate.gov:

[https://pulse.cio.gov/https/domains/#q=legislative](https://pulse.cio.gov/https/domains/#q=legislative)

~~~
willnorris
Somewhat confusingly, pulse.cio.gov lists senate.gov as supporting HTTPS with
an 'A' from SSL Labs. While that is of course technically correct, it doesn't
tell the full story, since no actual content is served over HTTPS.

Would it be worth trying to update pulse.cio.gov to detect cases like this?
That's non-trivial to do in a reliable automated fashion, but seems like it
might be worth the effort?

~~~
konklone
Yeah, I'm torn on it. It's clearly not the right information. But one of the
benefits of an automated approach is that everyone's being treated equally,
and people can't complain about unfair treatment.

In the case of the Senate, their current configuration prevents them from
using HSTS or enforcing HTTPS, so the other columns will still show as
lacking.

------
Reason077
I'd forgotten how _fast_ everything loads if you use http instead of https.

It's quite refreshing to not have that initial half-second or so lag that you
get when loading an https page.

Hopefully we'll make back some of the difference once http/2 is more
widespread.

~~~
witty_username
Well, for me that's only true for the first time I visit a website.

HN, for example, loads in less than half a second, due to using a CDN (i.e.
Cloudflare).

With CDNs, the RTTs are small enough to not matter.

------
sacheendra
Can someone tell me why this might have been required?

What are the situations which might prompt a developer to make their users use
http instead of https?

~~~
blowski
At a guess, it was built years ago by an agency selected on the basis of
anything other than technical competence. As a result it probably has
thousands of hard coded HTTP links and an oddly configured out of date web
server.

Given the 'encryption is only used by terrorists' climate, spending the time
and money to make it work for https sounds like a hard sell.

No sources, but I have done some work in UK public sector and that kind of
story would match.

~~~
SFJulie
Well it does the job, and if it aint broken why fix it?

~~~
unepipe
It creates an easy vector for MITM attacks - could be done by nefarious
parties on US citizens traveling in other countries for example.

~~~
SFJulie
So looking who are your senators is putting you at risk?

Isn't it a tad paranoid?

------
willvarfar
Well, if you've got nothing to hide...

;)

------
mind-blight
I can't load the senate.gov website with the HTTPS Everywhere browser plugin.
The plugin redirects the senate HTTP URL back to the No HTTPS warning. It's
easy to get around by going incognito, but this would seriously confuse the
average user.

~~~
ohitsdom
The average user doesn't have the HTTPS Everywhere plugin, and I assume most
that do have it installed are used to dealing with this kind of bad
configuration.

------
willvarfar
I wondered if there were any senator contact forms etc but I couldn't find
any. However, you can use the 'find your senator' drop-down top-right to find
a senator's private website contact form. Those I looked at were all
unencrypted too.

------
sathackr
Perhaps they don't have the resources to serve all requests over https at this
time?

------
blackhaz
And it's OK. This "HTTPS everywhere" concept is damaging. I think it should be
revised. The amount of overhead and the lack of ability to optimize encrypted
content for transferring over, say, satellite or other radio links, is bad.
Lots of people still use very expensive (>$2,000 per Mbps) long-RTT
connections that would benefit immensely from content optimization techniques.
And most of them are cost-sensitive because they live in developing countries.

~~~
beedogs
This is almost as bad as when people were arguing against long signatures on
Usenet.

https is the least of your worries in terms of overhead.

~~~
sleepychu
> benefit immensely from content optimization techniques. And most of them are
> cost-sensitive because they live in developing countries You can't optimise
> the size of encrypted content until you've downloaded it. It could go
> through a third party on your behalf but then they argue, what's the point
> in the encryption at all.

