Hacker News new | past | comments | ask | show | jobs | submit login
US Government Sites Give Bad Security Advice (krebsonsecurity.com)
37 points by feross 12 days ago | hide | past | web | favorite | 13 comments

I was going to reply to guacamole4's comment, which is unfortunately [dead] now. I think it's useful to talk about.

> Author then claims that just about anybody can get .gov domain which is untrue.

It didn't take much Googling to find Krebs stating that it's pretty easy: https://krebsonsecurity.com/2019/11/its-way-too-easy-to-get-...

Even without an article, it seems obvious to me that a criminal setting up a phishing site wouldn't be deterred by a bit more wire fraud to obtain a .gov.

After Brian Krebs' reporting, the GSA just announced a new process to get a .gov domain. https://krebsonsecurity.com/2020/03/u-s-govt-makes-it-harder...

> But I’m left to wonder: If I’m a bad guy who’s willing to forge someone’s signature and letterhead in a fraudulent application for a .gov domain, why wouldn’t I also be willing to fake a notarization?

It's probably not enough.

I think just by the nature of .gov domains, it's going to be very difficult to properly secure them. Even if registration is airtight, an attacker can still use other vectors: - XSS vuln on a legit .gov page to inject their own content - Open redirect vuln to redirect a legit .gov link to their page - Break a .gov server. I'm sure at least one of them is running a WordPress site with a vulnerable plugin - Break into or social engineer into the DNS server

> It didn't take much Googling to find Krebs stating that it's pretty easy:

Don't even need to Google it; that article is referenced and linked directly from the OP.

What else is new? I can't find a source right now, but IIRC NIST doesn't even follow their own password guidelines. This seems like a relatively minor flub in comparison. If the verbiage was tweaked a bit to say something like "the https ensures that you're actually connected to the website whose name shows up in your address bar" I think there'd be nothing to complain about.

NISTer here — We still have a password rotation policy, which I assume you are referring to in reference to [0]. I think they are working on it, but I’m not sure if we set our own password policy or if it’s something that needs to go through Commerce or GSA or similar.

But in fairness to NIST all of their machines have been smartcard auth only for a while now. Internal services are still under a password rotation policy, but you need a smartcard to access any NIST computer, and smartcard or RSA token for remote access to the network.

So in my opinion it could be a lot worse in terms of an actual security risk. (I am not a security researcher, just a random NIST scientist with personal opinions)

[0]: https://pages.nist.gov/800-63-3/sp800-63b.html

To be fair to them, how the hell do you possibly explain what that means to people who don't know or care how any of these things work? How do you explain TLS and DNS and HTTP and web servers and all this stuff in less than an hour in a way that makes any sense to someone that doesn't care about technology and just wants this stuff to work?

You're in a perfectly soundproof room with one other person.

Whatever you talk about with this person can't be heard by anyone outside the room.

This room can only help guarantee that no one outside can hear you, not that the person you're talking to is trustworthy.

If the other person is a thief and you tell them where your valuables are, they could be stolen.

If the other person is trustworthy, you can be sure no one else will hear what you tell them and your secrets are safe.

The soundproof room is HTTPS. The other person is a server.

You could tell someone something like this and provide a lay person with a basic understanding of many fundamental building blocks of the web rather quickly (DNS can be explained as a phone book for example).

#1 is also very weak. "'.gov' means it's official".

Somehow who doesn't know what's going on will interpret that as "if this substring appears anywhere, it's safe".

So, the hijacker just needs to create a URL like "https: // united.stat.es/census2020.gov/yourcensus" and fool a loooot of people.

I mean the us gov also continuously tries to legislate mandatory weak security.

The note says:

1) .gov means the site is official

2) https:// means it's secure

Author takes #2 out of context provided by #1 and argues that https:// doesn't necessarily mean it's secure because it could be phishing. However the point is that it's secure if it's both .gov and https://

Author then claims that just about anybody can get .gov domain which is untrue.

I agree. A simple plus sign, to signify both are necessary for the conclusion to be drawn, would fix the message.

However, as long as URLs read both right to left, and left to right, in the same string, its very hard to communicate to standard people what the "end" is https://example.com./.gov ends in .gov, and the percentage of people that dont know a - is not a delimiter but / is and . sometimes is is high.

From reading the article the main point was that https:// doesn't mean it's the official page you're looking for, which is true. Just that the communication between you and whatever page it is, is secure.

Following the authors article around acquiring a .gov domain it seems as though it was relatively easy for that particular person to obtain a .gov domain.

The argument is that it still may be a phishing attempt even if it does have both https:// and .gov.

But of course we're relying heavily on the article around acquiring a .gov domain being correct.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact