Hacker News new | past | comments | ask | show | jobs | submit login
Accessing the Information Assurance Website (nsa.gov)
19 points by aaronharnly on June 29, 2016 | hide | past | web | favorite | 14 comments



This is not a 'self-signed' certificate. This is an internal DISA Certificate Authority.

Edit: Looking a bit closer, this is a web application that uses the CAC for client-certificate authentication. Odds are if you have a reason to be going to this site, you already have this CA cert installed, and are using your CAC to auth against it.


Indeed, perhaps the title could be adjusted by a mod to make it less potentially misleading?


That's true! I started with "asks you install a custom certificate authority" but the title got a bit long...


They aren't "self-signed", they're signed by the DoD certificate authorities (which probably requires more paperwork and due diligence than getting a certificate issued by GoDaddy, Comodo, etc.).


Indeed:

http://www.disa.mil/~/media/Files/DISA/Services/UCCO/APL-Pro...

For high-security (esp Type 1), they're also a system for generating and managing keys that the NSA controls:

https://en.wikipedia.org/wiki/EKMS


Genuine question: what's the big deal of using custom CA?


Nothing, if you know your intended users will have that CA's root in their trust store, as the NSA likely does.

A self-signed certificate is one generated on the hosting device itself - the actual webserver hosting the site - there is no chain of trust to a root certificate that could be in someone's trust store and consequently no way to know if there is a man-in-the-middle.


Self signing allows you to counter mitm just fine as you trust a specific certificate.

A trust allows you to manage revocation easily and it doesn't requires you to trust 100's or 1000's of certificates independently.


This seems perfectly appropriate. Who else is gonna sign their certs?

We trust us, you should trust us and we don't trust anyone else.


This practice cuts them off from the regular web. For example, suppose one wanted to link to their Guidelines for Securing Industrial Control Systems -- a client browser gets an error unless they've installed the DoD CA.


Generally, the DoD root CA is only used on websites that are not intended for public consumption.

That said, as a civilian security professional, I have the DoD root CA imported on my workstations because I do run into sites signed by it from time to time, but usually in the course of looking up things specific to federal contracts.


Why is this newsworthy? I'm no security expert.


It's technical people of some notoriety being vaguely clever about high-brow qualifications, and at a certain level of humorousness, involves recursion.


It isn't.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: