Hacker News new | comments | ask | show | jobs | submit login
Senator requests better https compliance at US Department of Defense [pdf] (senate.gov)
239 points by anigbrowl 9 months ago | hide | past | web | favorite | 54 comments

Used to work in the Senate and have always admired Senator Wyden and his staff when it comes to being up to date on important technical issues like net neutrality, domain name governance, data breach law, cybersecurity standards, and now this.

If you have specialized technical knowledge that can inform policy of importance (your call on how to judge that), I encourage you to engage your senators/reps on such issues, or at least connect with the legislative assistants in the offices who cover these issues. Give your senators/rep's DC office a call and ask for the LA (aka legislative assistant) and to brief him/her on the issue at hand. Or at least offer yourself as a resource if needed.

The best part about working in the Senate was being able to call up someone and ask for a briefing on an issue, and most would help out. Those that reached out proactively made life much easier, and, seriously, the squeaky wheel gets the grease in the policy world. Groups like I Am The Cavalry have done great work bringing together cybersecurity experts to raise awareness of, and push action, toward addressing vulnerabilities in systems that, if compromised, could cause major harm (think cars, medical devices, etc.). If you can form a group like that in your area of expertise, you can be more effective. Okay, off my soapbox for now.

I would definitely be interested in being a helpful source for a senate office on some matters. How would I go about gaining the credibility and connections required for them?

Well, I would encourage my senator on such issues, but my senator is Wyden. Here goes another "thank you, keep up the good work" letter.

You can still encourage Sen. Merkley, since you have two Senators.

You don't have two senators?

Merkley tends to have a similarly straight head on his shoulders.

My team and I are the folks that have been fighting to make exactly this happen in DoD for years. We provide web hosting for the DoD Public Affairs community; we host 785 of DoD's top websites including defense.gov, af.mil, marines.mil, navy.mil, etc. For a deeper understanding of the issue, I have written a few blog posts about this to inform my stakeholders (links below).

Delivering public DoD websites using commercially-signed certificates was nearly impossible until January of this year when DoD CIO signed a memo titled, "Commercial Public Key Infrastructure (PKI) Certificates on Public-Facing Unclassified Web Servers." That memo enabled us to use commercial DV certificates to deliver public-facing .mil websites and will save the taxpayer millions of dollars. The day we got that memo was a very good day; we've been trying to get this change made for literally more than 10 years.

My team and I are passionate about our work, and we refuse to be another typical DoD information system that's down all the time, impossible to use, and only works on some archaic version of IE. The truly frustrating part of this is that we're already doing exactly what the Senator is asking, but I have no way to let him know. Yay bureaucracy.

Here are the links to the blog posts discussing this: 1 - http://publicweb.dodlive.mil/2016/10/06/why-doesnt-my-public... 2 - http://publicweb.dodlive.mil/2017/09/19/still-no-https-for-d... 3 - http://publicweb.dodlive.mil/2018/04/02/https-breakthrough/

I've been fighting to get your friendly northern neighbour, GC, secure. One thing I can't quite square though:

Why on earth are so many supposedly important systems _so_ insecure.

For example, TLS on email servers for our military think tanks or the unclassified email servers of our intelligence agencies or militaries.

Not having S/MIME or PGP I kinda understand, but full-blown TLS? I know protocol downgrade attacks / DNS attacks / etc are a thing, but passive surveillance of email traffic is _well documented_ and a thousand times easier than something noisy involving forged DNS responses. Even if there are networks with reliable blackers for actual classified stuff, surely communicating with professors or researchers that lack clearance is also worth protecting, no?

Why is it taking decades to get simple email / server configurations fixed?

Also, why is everything so broken and why does nobody seem to care?

Take QNX for example, the supposedly secure microkernel OS that we put in ever switch, router, car, truck, nuclear power plants, military radios, etc. It had almost all the same vulnerabilities that Linux and Windows had. Broken SRNG, hardcoded backdoor⇧⌥←^h^h "maintenance password", easy privilege escalation. Hell, even the crypt function wasn't a hash! It was just a bit mixer!

What is in the way of someone at the NSA just saying: "No, don't allow this to happen. Don't let them put the operating system into a bunch of stuff that we sell on the market."

Thank you for your hard work on this! As someone who had to automate a lot of .gov interactions, these million little roadbumps you describe made my work very difficult (if lucrative).

What group? USDS Defense Digital Service? Would be interested to know of such initiatives.

We are the Defense Media Activity. You can check us out here: https://www.dma.mil/Services/DOD-Public-Web/. We have worked with the DDS, the DoD incarnation of USDS, on several initiatives.

Wyden is a treasure. He's also, to my mind, the one who precipitated the Snowden leaks.

Wyden asked Clapper if the NSA collected data on Americans. Clapper lied. According to Snowden's account, that's what set him in motion. Even that account is not true, I want lawmakers to be asking that kind of tough and well thought out question.

According to Clapper he misunderstood the question and thought they were asking about something previously just asked. Heard him interviewed on the BBC just a day or so ago where they asked him about it - and he said he hasnt previously lied in the hundreds of times he's appeared so why would he now. So I guess ppl can make up their own minds.

The previous question was about whether the NSA builds dossiers on all Americans, which is a far cry from having a database of phone call metadata not linked to PII used to find phone numbers of associates of malicious foreign agents.

Also, GP's timeline is backward. Snowden reached out to Greenwald four months before that hearing.

Uhm, phone call metadata is PII.

IANAL, but if you have phone call metadata and you think it's not in scope for GDPR then you'll be disappointed.

AFAIK, the point of the DoD Root CA is to avoid trusting an external entity not to intercept military traffic. Most .mil HTTPS sites that are intended to be accessed by the public (like https://www.army.mil/) are signed by a regular Root CA, while internal sites use the DoD Root CA.

But any CA can issue certificates for any domain in our current system. Sure, you can always manually inspect the certificate and see if the root CA is expected. But does anyone do that at all?

I guess you could have an "internal network" browser config with _only_ the DoD CA root.

Isn't that what the DNS Certification Authority Authorization (CAA) DNS record [1] is supposed to solve? Combine that with certificate transparency enforced with the `Expect-CT` header [2] and its pretty locked down. If a CA does not respect the CAA record and issues anyways, the cert will be logged to a public log. Tools like CertSpotter [3] can be setup to give notifications when certs are created. If a cert is created that should not have, then you can get an alert about it and can begin the reporting and revocation process. If a cert is created without being written to a certificate transparency log, then browsers that support `Expect-CT` header should reject it with a big error message. This works in chrome, but not yet in firefox or safari [4].

[1] https://tools.ietf.org/html/rfc6844

[2] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Ex...

[3] https://sslmate.com/signup?for=certspotter

[4] https://invalid-expected-sct.badssl.com/

Any CA can issue certificates for any domain, but they may not be permitted to do so.

Certification Authority Authorization (CAA) DNS records can be used to indicate which CA is authorized to issue certificates for a domain. The CA/Browser Forum requires all certificate authorities to check CAA records prior to issuance.

> The CA/Browser Forum requires all certificate authorities to check CAA records prior to issuance.

And what if a CA fails to check CAA records? Revoke their status as an authority? By then attackers may have already obtained highly confidential information from DoD sites.

But only the owner of the private key associated with the certificate can intercept traffic. The keys used to sign the certificate have no impact on the actual encryption whatsoever...

All true/correct.

It is worth considering that some DoD systems only have whitelisted CAs installed to limit the ability for an adversary to MitM. For example a DoD laptop used in a foreign country, you don't want the foreign government to be able to issue a certificate for a DoD property using their CA (or pressure/steal a commercial CA's signing certificate).

I opened this link in Melbourne, Australia, never been to this page before in my life, and it downloaded almost instantly. Do .mil domains get some kind of special preference, or is my brain just glitching out?

Their page is pretty light. It's served over http2 and about 1MB of mostly images. There's only 60K/200K (compressed/uncompressed) of Javascript.

That is pretty much how it is.

What an excellent letter. It appears that this Senator knows what he is talking about, or is at least very well informed by those around him. I wish more people--not just those in government--were this informed about these very serious issues.

... who is HN user csoghoian:


and very disciplined about not using social media while working in the Senate!

Commendable but he should set an example and do something about his footer: HTTP://WYDEN.SENATE.GOV.

I got a 301 redirect to HTTPS when I tried going there.

Still better to link directly to the HTTPS page to prevent SSL stripping. Unless the site is already on the HSTS preload list of course; then it doesn't really matter.

As a veteran can we please get someone to look at the patchwork of expired certificates and questionable CN's that exists as the VA Benefits system? I swear the handshakes are coming live from some old half-retired grunt in the payroll department.

That's odd - the VA pretty much leads the way with compliance on this...

It's literally the only agency listed with over 15 sites that is greater than 99% compliance.


What? We've got to go back to PSD? Oh, man, not again!

Oh you have no idea how welcome this is. As a member of the National Guard, we are expected to use our own personal equipment to access DoD websites. It is a constant battle of certificates that are not recognized, expired, many other things. The Army maintains a gold image for all active duty computers, but us silly part time soldiers who try to use our own equipment are completely screwed.

Just this month alone I have been 'mandated' to sign multiple documents and complete on-line courses that I can not access due to the Army's making everything only Microsoft compatible. So many sites are years old still making ancient calls to Internet Explorer functions.

The simple act of fixing the certificate issues would eliminate half the frustration right now. The second thing they need to do is mandate that any site has to operate with all the major browsers, and not just ancient versions of IE.

That is a letter from a US Senator requiring the CIO of the US DOD to provide him with progress on the deployment of TLS and enforcing with HSTS.

In the UK, the Home Secretary (who really ought to know better) once memorably wittered on about "hashtags" (1). I suggest that Ron Wyden off of Oregon is either or both of well informed and knowledgeable in IT matters.

(1) https://www.theregister.co.uk/2017/04/03/uk_home_secretary_a...

Wyden is the most knowledgeable legislator we have when it comes to technology. Here's him explaining Net Neutrality [1] and urging a 'no' vote [2] on Ajit Pai's FCC nomination.

Here's a letter [3] from him a year ago urging the importance of two-factor authentication.

[1] https://www.c-span.org/video/?c4698027/senator-ron-wyden-net...

[2] https://www.c-span.org/video/?434822-2/senator-wyden-ajit-pa...

[3] https://www.wyden.senate.gov/imo/media/doc/Two-Factor%20Auth...

Wyden is a treasure, plus he's a fan of oshpark[1]!

[1] https://twitter.com/RonWyden/status/896012835448381441

Senator Wyden is extremely well regarded within the US with regards to technology. If you haven't seen it, he's in the documentary for Aaron Swartz.

Here are his words about the death of Aaron: https://en.wikisource.org/wiki/Senator_Wyden_Remarks_at_Aaro...

Wyden just generally seems to be a reasonable guy that wants to do the right thing and spends time to understand issues. His tech initiatives usually make sense and years ago he also introduced something about health care which also made sense. He is the kind of legislator we should want in Congress.

The "Mozilla SSL Configuration Generator" has a checkbox for 'HSTS enabled?' and can generate SSL/TLS configs for Apache, Nginx, Lighttpd, HAProxy, AWS, ELB. https://mozilla.github.io/server-side-tls/ssl-config-generat...

You can select 'nginx', then 'modern', and then 'apache' for a modern Apache configuration.

Are the 'modern' configs FIPS compliant?

What browsers/tools does requiring TLS 1.3 break?

Because TLS 1.3 is sat in the Editor queue patiently alongside other RFCs there isn't, or shouldn't be, any software compatible with TLS 1.3 today. Implementations of the Draft 23 or other editions are deliberately incompatible with and must be replaced by the real TLS 1.3 after the Editor is done with it even though (as it stands) they are otherwise functionally identical.

Firefox, Chrome, and CloudFlare all already support (DRAFT) TLS 1.3: https://www.ghacks.net/2017/06/15/how-to-enable-tls-1-3-supp...

Apache mod_nss and nginx support (DRAFT) TLS 1.3.

The changes to allowed ciphers in TLS 1.3 could be implemented by modifying webserver config (e.g. as produced by the aforementioned Mozilla config generator tool). IDK what versions of (unupgraded) browsers that would cut off.

This would be great...but it seems more likely that what happens if a forcing function is applied is that anything in the current gray area (gray area is putting it nicely) of using the DoD Root CA will likely just become not publicly accessible whether it makes sense or not to do that for the resource (e.g. webmail)

Again, this would be awesome but as a DoD civilian employee...I don't see it happening in a good way

Unrelated, but it would be nice if someone OCRed so that the text is accessible. Otherwise it's just a high-quality scan.

I was wondering something similar. It's clearly a typed letter, but it's offset from the letterhead. Was this scanned and placed onto the letterhead?

I don't understand how that crookedness happens? I don't think it it wasn't a crooked page placed into a typewriter.. but I also can't explain why it would be printed, scanned at an angle, placed onto letterhead, and then published.

All that said - the senator seems reasonably well informed and asking some good questions - even if his final suggestion for the US military to use Let's Encrypt made me cringe a little :)

Looks to me like the body of the letter was printed onto paper pre-printed with the letterhead, but that the paper was fed through the printer at an angle.

My guess is someone then said "eh, good enough, I can't be bothered going to get more letterhead paper out of the box to feed into the bypass tray, then going to re-print the document from my computer", and took the letter to Senator Wyden for signature. He then signed, and the signed letter was scanned for preservation as a digital record.

I keep seeing people putting Lets Encrypt down. What is so wrong with it?

For the record, the US DoD /is/ using Let's Encrypt.


> I keep seeing people putting Lets Encrypt down.

That was not my intent at all. I use and love Lets Encrypt's service.

The comment was intended more around the fact that the US Military (and many large businesses) would never, and should never, rely on a free service like that.

Lets Encrypt is great, I love it, I'd personally use it for business - but if I'm that large, I'm going to need a support contract + binding SLA + etc with every IT vendor - Lets Encrypt doesn't do these.

Maybe, but on the other hand, Let's Encrypt's organisation ISRG is a US charity, so it's not a foreign entity, and its nature avoids scenarios where the DoD gets ripped off.

There aren't many US-based large CAs that would be in a position to offer the appropriate thing here, an API that all the DoD's disparate IT organisations can use to sort out certificates for outward-facing web sites, mail servers, etcetera. It would also be nice (for Congress in particular) for this not to add another budget line item.

It appears that IdenTrust (the small CA that cross-signed Let's Encrypt) used to provide services into the DoD, perhaps they still do, and doubtless they'd like a juicy DoD contract for more of that, but are they in a position to offer ACME (or a proprietary equivalent)? Do they handle the scale to just shove 50 000 DoD site certificates out the door like it's nothing (which Let's Encrypt absolutely could)?

Big Hitters in this space today are: Let's Encrypt, Comodo (British, not American), DigiCert (possibly an option), GoDaddy (surely not), GlobalSign (Belgian / Japanese). After that it's all small potatoes, and a five person company that issues less than a thousand certificates per week is not the right size for a DoD national contract.

Long term the US Government had expressed interest via 18F in actually running a "real" CA, to be limited (in clients like Firefox that know how) to the .gov TLD but you can imagine it's not hard to add .mil there. However 18F is not what it once was under Trump. This is not a good time to be in Washington if your goal isn't to stuff as much cash as possible into your underwear and then waddle off into the sunset, so I'd guess the CA plan is back-burnered and maybe dead for good.

Lots of organizations have blank pages with a letterhead already professionally printed that you'd just print your letter/memo onto. You can even use a typewriter to type up the memo of you wanted to or even hand write it and still have the letterhead.

In this case, the page was fed through the printer crooked.

This is awesome. :D I hope we see more stuff like this.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact