
Senator requests better https compliance at US Department of Defense [pdf] - anigbrowl
https://www.wyden.senate.gov/imo/media/doc/wyden-web-encryption-letter-to-dod-cio.pdf
======
Rafuino
Used to work in the Senate and have always admired Senator Wyden and his staff
when it comes to being up to date on important technical issues like net
neutrality, domain name governance, data breach law, cybersecurity standards,
and now this.

If you have specialized technical knowledge that can inform policy of
importance (your call on how to judge that), I encourage you to engage your
senators/reps on such issues, or at least connect with the legislative
assistants in the offices who cover these issues. Give your senators/rep's DC
office a call and ask for the LA (aka legislative assistant) and to brief
him/her on the issue at hand. Or at least offer yourself as a resource if
needed.

The best part about working in the Senate was being able to call up someone
and ask for a briefing on an issue, and most would help out. Those that
reached out proactively made life much easier, and, seriously, the squeaky
wheel gets the grease in the policy world. Groups like I Am The Cavalry have
done great work bringing together cybersecurity experts to raise awareness of,
and push action, toward addressing vulnerabilities in systems that, if
compromised, could cause major harm (think cars, medical devices, etc.). If
you can form a group like that in your area of expertise, you can be more
effective. Okay, off my soapbox for now.

~~~
craftyguy
Well, I would encourage my senator on such issues, but my senator is Wyden.
Here goes another "thank you, keep up the good work" letter.

~~~
saghm
You don't have two senators?

~~~
craftyguy
Merkley tends to have a similarly straight head on his shoulders.

------
PW_Ops_Guy
My team and I are the folks that have been fighting to make exactly this
happen in DoD for years. We provide web hosting for the DoD Public Affairs
community; we host 785 of DoD's top websites including defense.gov, af.mil,
marines.mil, navy.mil, etc. For a deeper understanding of the issue, I have
written a few blog posts about this to inform my stakeholders (links below).

Delivering public DoD websites using commercially-signed certificates was
nearly impossible until January of this year when DoD CIO signed a memo
titled, "Commercial Public Key Infrastructure (PKI) Certificates on Public-
Facing Unclassified Web Servers." That memo enabled us to use commercial DV
certificates to deliver public-facing .mil websites and will save the taxpayer
millions of dollars. The day we got that memo was a very good day; we've been
trying to get this change made for literally more than 10 years.

My team and I are passionate about our work, and we refuse to be another
typical DoD information system that's down all the time, impossible to use,
and only works on some archaic version of IE. The truly frustrating part of
this is that we're already doing exactly what the Senator is asking, but I
have no way to let him know. Yay bureaucracy.

Here are the links to the blog posts discussing this: 1 -
[http://publicweb.dodlive.mil/2016/10/06/why-doesnt-my-
public...](http://publicweb.dodlive.mil/2016/10/06/why-doesnt-my-public-
website-use-https/) 2 - [http://publicweb.dodlive.mil/2017/09/19/still-no-
https-for-d...](http://publicweb.dodlive.mil/2017/09/19/still-no-https-for-
dma-hosted-websites/) 3 - [http://publicweb.dodlive.mil/2018/04/02/https-
breakthrough/](http://publicweb.dodlive.mil/2018/04/02/https-breakthrough/)

~~~
616c
What group? USDS Defense Digital Service? Would be interested to know of such
initiatives.

~~~
PW_Ops_Guy
We are the Defense Media Activity. You can check us out here:
[https://www.dma.mil/Services/DOD-Public-
Web/](https://www.dma.mil/Services/DOD-Public-Web/). We have worked with the
DDS, the DoD incarnation of USDS, on several initiatives.

------
ipsin
Wyden is a treasure. He's also, to my mind, the one who precipitated the
Snowden leaks.

Wyden asked Clapper if the NSA collected data on Americans. Clapper lied.
According to Snowden's account, that's what set him in motion. Even that
account is not true, I want lawmakers to be asking that kind of tough and well
thought out question.

~~~
rosege
According to Clapper he misunderstood the question and thought they were
asking about something previously just asked. Heard him interviewed on the BBC
just a day or so ago where they asked him about it - and he said he hasnt
previously lied in the hundreds of times he's appeared so why would he now. So
I guess ppl can make up their own minds.

~~~
lern_too_spel
The previous question was about whether the NSA builds dossiers on all
Americans, which is a far cry from having a database of phone call metadata
not linked to PII used to find phone numbers of associates of malicious
foreign agents.

Also, GP's timeline is backward. Snowden reached out to Greenwald four months
before that hearing.

~~~
knorker
Uhm, phone call metadata is PII.

IANAL, but if you have phone call metadata and you think it's not in scope for
GDPR then you'll be disappointed.

------
ihattendorf
AFAIK, the point of the DoD Root CA is to avoid trusting an external entity
not to intercept military traffic. Most .mil HTTPS sites that are intended to
be accessed by the public (like
[https://www.army.mil/](https://www.army.mil/)) are signed by a regular Root
CA, while internal sites use the DoD Root CA.

~~~
netheril96
But any CA can issue certificates for any domain in our current system. Sure,
you can always manually inspect the certificate and see if the root CA is
expected. But does anyone do that at all?

~~~
zjs
Any CA can issue certificates for any domain, but they may not be permitted to
do so.

Certification Authority Authorization (CAA) DNS records can be used to
indicate which CA is authorized to issue certificates for a domain. The
CA/Browser Forum requires all certificate authorities to check CAA records
prior to issuance.

~~~
netheril96
> The CA/Browser Forum requires all certificate authorities to check CAA
> records prior to issuance.

And what if a CA fails to check CAA records? Revoke their status as an
authority? By then attackers may have already obtained highly confidential
information from DoD sites.

------
nathanaldensr
What an excellent letter. It appears that this Senator knows what he is
talking about, or is at least very well informed by those around him. I wish
more people--not just those in government--were this informed about these very
serious issues.

~~~
adw
That would be Chris Soghoian:
[https://en.wikipedia.org/wiki/Christopher_Soghoian](https://en.wikipedia.org/wiki/Christopher_Soghoian)

~~~
schoen
... who is HN user csoghoian:

[https://news.ycombinator.com/threads?id=csoghoian](https://news.ycombinator.com/threads?id=csoghoian)

and very disciplined about not using social media while working in the Senate!

------
arbuge
Commendable but he should set an example and do something about his footer:
HTTP://WYDEN.SENATE.GOV.

~~~
theandrewbailey
I got a 301 redirect to HTTPS when I tried going there.

~~~
Ajedi32
Still better to link directly to the HTTPS page to prevent SSL stripping.
Unless the site is already on the HSTS preload list of course; then it doesn't
really matter.

------
nimbius
As a veteran can we please get someone to look at the patchwork of expired
certificates and questionable CN's that exists as the VA Benefits system? I
swear the handshakes are coming live from some old half-retired grunt in the
payroll department.

~~~
deaps
That's odd - the VA pretty much leads the way with compliance on this...

It's literally the only agency listed with over 15 sites that is greater than
99% compliance.

[https://pulse.cio.gov/https/agencies/](https://pulse.cio.gov/https/agencies/)

------
me_here_alone
Oh you have no idea how welcome this is. As a member of the National Guard, we
are expected to use our own personal equipment to access DoD websites. It is a
constant battle of certificates that are not recognized, expired, many other
things. The Army maintains a gold image for all active duty computers, but us
silly part time soldiers who try to use our own equipment are completely
screwed.

Just this month alone I have been 'mandated' to sign multiple documents and
complete on-line courses that I can not access due to the Army's making
everything only Microsoft compatible. So many sites are years old still making
ancient calls to Internet Explorer functions.

The simple act of fixing the certificate issues would eliminate half the
frustration right now. The second thing they need to do is mandate that any
site has to operate with all the major browsers, and not just ancient versions
of IE.

------
gerdesj
That is a letter from a US Senator requiring the CIO of the US DOD to provide
him with progress on the deployment of TLS and enforcing with HSTS.

In the UK, the Home Secretary (who really ought to know better) once memorably
wittered on about "hashtags" (1). I suggest that Ron Wyden off of Oregon is
either or both of well informed and knowledgeable in IT matters.

(1)
[https://www.theregister.co.uk/2017/04/03/uk_home_secretary_a...](https://www.theregister.co.uk/2017/04/03/uk_home_secretary_amber_rudd_hashing_not_hashtags/)

~~~
meritt
Wyden is the most knowledgeable legislator we have when it comes to
technology. Here's him explaining Net Neutrality [1] and urging a 'no' vote
[2] on Ajit Pai's FCC nomination.

Here's a letter [3] from him a year ago urging the importance of two-factor
authentication.

[1] [https://www.c-span.org/video/?c4698027/senator-ron-wyden-
net...](https://www.c-span.org/video/?c4698027/senator-ron-wyden-net-
neutrality)

[2] [https://www.c-span.org/video/?434822-2/senator-wyden-ajit-
pa...](https://www.c-span.org/video/?434822-2/senator-wyden-ajit-pai-fcc-
nomination)

[3] [https://www.wyden.senate.gov/imo/media/doc/Two-
Factor%20Auth...](https://www.wyden.senate.gov/imo/media/doc/Two-
Factor%20Authentication%20April%2020,%202017.pdf)

~~~
vvanders
Wyden is a treasure, plus he's a fan of oshpark[1]!

[1]
[https://twitter.com/RonWyden/status/896012835448381441](https://twitter.com/RonWyden/status/896012835448381441)

------
westurner
The "Mozilla SSL Configuration Generator" has a checkbox for 'HSTS enabled?'
and can generate SSL/TLS configs for Apache, Nginx, Lighttpd, HAProxy, AWS,
ELB. [https://mozilla.github.io/server-side-tls/ssl-config-
generat...](https://mozilla.github.io/server-side-tls/ssl-config-
generator/?hsts=yes)

You can select 'nginx', then 'modern', and then 'apache' for a modern Apache
configuration.

Are the 'modern' configs FIPS compliant?

What browsers/tools does requiring TLS 1.3 break?

~~~
tialaramex
Because TLS 1.3 is sat in the Editor queue patiently alongside other RFCs
there isn't, or shouldn't be, any software compatible with TLS 1.3 today.
Implementations of the Draft 23 or other editions are deliberately
incompatible with and must be replaced by the real TLS 1.3 after the Editor is
done with it even though (as it stands) they are otherwise functionally
identical.

~~~
westurner
Firefox, Chrome, and CloudFlare all already support (DRAFT) TLS 1.3:
[https://www.ghacks.net/2017/06/15/how-to-enable-
tls-1-3-supp...](https://www.ghacks.net/2017/06/15/how-to-enable-
tls-1-3-support-in-firefox-and-chrome/)

Apache mod_nss and nginx support (DRAFT) TLS 1.3.

The changes to allowed ciphers in TLS 1.3 could be implemented by modifying
webserver config (e.g. as produced by the aforementioned Mozilla config
generator tool). IDK what versions of (unupgraded) browsers that would cut
off.

------
cakes
This would be great...but it seems more likely that what happens if a forcing
function is applied is that anything in the current gray area (gray area is
putting it nicely) of using the DoD Root CA will likely just become not
publicly accessible whether it makes sense or not to do that for the resource
(e.g. webmail)

Again, this would be awesome but as a DoD civilian employee...I don't see it
happening in a good way

------
saagarjha
Unrelated, but it would be nice if someone OCRed so that the text is
accessible. Otherwise it's just a high-quality scan.

~~~
kiallmacinnes
I was wondering something similar. It's clearly a typed letter, but it's
offset from the letterhead. Was this scanned and placed onto the letterhead?

I don't understand how that crookedness happens? I don't think it it wasn't a
crooked page placed into a typewriter.. but I also can't explain why it would
be printed, scanned at an angle, placed onto letterhead, and then published.

All that said - the senator seems reasonably well informed and asking some
good questions - even if his final suggestion for the US military to use Let's
Encrypt made me cringe a little :)

~~~
kankroc
I keep seeing people putting Lets Encrypt down. What is so wrong with it?

~~~
kiallmacinnes
> I keep seeing people putting Lets Encrypt down.

That was not my intent at all. I use and love Lets Encrypt's service.

The comment was intended more around the fact that the US Military (and many
large businesses) would never, and should never, rely on a free service like
that.

Lets Encrypt is great, I love it, I'd personally use it for business - but if
I'm that large, I'm going to need a support contract + binding SLA + etc with
every IT vendor - Lets Encrypt doesn't do these.

~~~
tialaramex
Maybe, but on the other hand, Let's Encrypt's organisation ISRG is a US
charity, so it's not a foreign entity, and its nature avoids scenarios where
the DoD gets ripped off.

There aren't many US-based large CAs that would be in a position to offer the
appropriate thing here, an API that all the DoD's disparate IT organisations
can use to sort out certificates for outward-facing web sites, mail servers,
etcetera. It would also be nice (for Congress in particular) for this not to
add another budget line item.

It appears that IdenTrust (the small CA that cross-signed Let's Encrypt) used
to provide services into the DoD, perhaps they still do, and doubtless they'd
like a juicy DoD contract for more of that, but are they in a position to
offer ACME (or a proprietary equivalent)? Do they handle the scale to just
shove 50 000 DoD site certificates out the door like it's nothing (which Let's
Encrypt absolutely could)?

Big Hitters in this space today are: Let's Encrypt, Comodo (British, not
American), DigiCert (possibly an option), GoDaddy (surely not), GlobalSign
(Belgian / Japanese). After that it's all small potatoes, and a five person
company that issues less than a thousand certificates per week is not the
right size for a DoD national contract.

Long term the US Government had expressed interest via 18F in actually running
a "real" CA, to be limited (in clients like Firefox that know how) to the .gov
TLD but you can imagine it's not hard to add .mil there. However 18F is not
what it once was under Trump. This is not a good time to be in Washington if
your goal isn't to stuff as much cash as possible into your underwear and then
waddle off into the sunset, so I'd guess the CA plan is back-burnered and
maybe dead for good.

------
mvd7793
This is awesome. :D I hope we see more stuff like this.

