Senator Schumer Fails To Properly Use HTTPS On His Own Site, After Pushing Other Sites To Use It [Updated]
from the ooooops dept
This is just lovely. We just wrote about how Senator Chuck Schumer was pressuring websites to use https instead of http, saying (not really accurately) that http has a “security flaw.” However, gojomo pointed out in a comment on that post that Schumer’s own page, when you hit it via https at https://schumer.senate.gov/ reports:
Ooops. Both Firefox and Chrome warn you not to proceed, because the connection is “untrusted” or “might not be the site you are looking for.” Obviously, this is probably just a small technical error by Schumer’s tech staff, but it does look pretty bad when he’s out there grandstanding on https. Of course, this isn’t to diminish that https is a useful tool that many websites should use to protect users, but it’s not clear that we want politicians telling websites what protocols to use (especially when they haven’t quite figured them out themselves).
Update: Some great points in the comments highlighting that Schumer and his staff don’t control the tech behind his Senate website, and any such cert would have to be controlled by the Senate IT folks. Also they pointed out that Schumer’s Senate site does not appear to take user info/logins so HTTPS wouldn’t much matter. However, his personal/campaign site does appear to take info and also does not use HTTPS.
Separately, others pointed out that one of the sites he called out — Amazon — does use HTTPS when you login and/or order, and his calling them out suggests they’re unsafe when it appears they are safe.
Filed Under: chuck schumer, https
Comments on “Senator Schumer Fails To Properly Use HTTPS On His Own Site, After Pushing Other Sites To Use It [Updated]”
On the other hand
Perhaps he’s attempting to demonstrate how difficult https is to implement, and will next be grandstanding about a better, faster, more secure, easier to implement method of connecting to web pages.
Re: On the other hand
“Perhaps he’s attempting to demonstrate how difficult https is to implement”
Er, you’re joking? Either get a signed cert from a CA or create your own – either way, certs aren’t too difficult to maintain/implement.
Re: Re: On the other hand
Creating your own is a terrbile idea, because then you end up with a big “CERTIFICATE ERROR”. 😡
You don’t have permission to access / on this server.
There isn’t anything on the secure server. It’s a dead address. His site isn’t “secure” in that manner, so it isn’t surprising it doesn’t work.
That and the fact that the certificate would be controlled by senate.gov, and not the senator or his staff.
Re: Re:
That and the fact that the certificate would be controlled by senate.gov, and not the senator or his staff.
That’s a good point — though, again seems to highlight the problem of him telling private companies that they have to do this, right?
Re: Re: Re:
HTTPS is not security anyway. It’s a false sense of security. Ask the OpenBSD people, they’ll lecture you about it. There’s still ways “around” it, and/or if you hack your way into the machine to replace it, etc…
It’s like putting an electronic lock on your car.. it might help if you lose the key, but down the line, someone can still steal your car with fairly low-tech tools.
Re: Re: Re:
Not really. senate.gov ‘s certificate gets pulled when you pull any third level (there is that pesky reason why third levels are not the same). So you can https any of the individual sites, and get the same reaction. It’s as much a browser fault as anything else. I don’t think that Mr Schumer had any https site specifically setup.
Right, I’m pretty sure his staff doesn’t control senate.gov, and as such wouldn’t be able (unilaterally anyway) set up a cert for schumer.senate.gov. And it’s not link someone linked to https://schumer.senate.gov – some guy just went and tried to access it in response to the article from earlier this morning. It’s no surprise at all the server isn’t configured to serve individual officials’ subdomains as HTTPS. They *could* get a *.senate.gov cert, but there’s good reasons not to do that, too.
I’m not a fan of the guy but I don’t know why we’re giving him grief over something he can’t control. It’s apparently based on him ‘recommending’ something and therefore might speculatively push for legislation in some regard. I dunno. Maybe I missed something.
Re: Maybe I missed something
“him ‘recommending’ something and therefore might speculatively push”
That’s the problem, so many politicians recommend stuff without actually understanding how it works.
Lame Story…nothing to see here
So what?
Why the hell are you railing against someone making a REALLY good point? Sure his implementation was poor, but what’s the point in ripping him for “grandstanding” and then claiming that politicians should be “telling websites what protocol to use?”
I mean, he’s right. Stop trying to gin up controversy.
Re: So what?
A really good point is one thing. A government telling everyone how to do shit with new laws is something else altogether.
Re: Re: So what?
There doesn’t appear to be any such law proposed. For the time being, it sounds like this is just a politician supporting a good idea.
https is broken
Rather than promoting https as the way to solve security problems (really, I would promote it as a way to help solve privacy issues, tbh) – perhaps we should actually fix it first.
https and SSL are a great way for a small number of Certificate Authority companies to make a boatload of cash for doing very little. I wouldn’t be surprised if Verisign approached this guy and lobbied for this.
CDNetworks provides last mile HTTPS feature
CDNetworks protects its customers from the Firesheep security threat with a ?last-mile-secure? feature within its Content Acceleration SSL product. This innovative solution requires no changes to the websites of CDNetworks? customers. Instead, CDNetworks communicates with websites in clear HTTP, and then transforms their responses to end users via SSL over HTTPS. This renders the Firesheep plug-in completely ineffective.
http://www.businesswire.com/news/home/20101104005744/en/CDNetworks-Protects-Firesheep-Last-Mile-Secure-Feature
Mike, I love you man, but you’re really out of your element here. It’s already been pointed out how Schumer’s staff wouldn’t control the cert, and that it’s a dead endpoint anyway, and that (surprisingly!) the senator is actually *correct*…
But more importantly: if you understood the attack vector in question you’d understand that it is only really relevant for hijacking user sessions in progress. If you’d looked at the port 80 version of the site you may notice the lack of a login feature anywhere, thus your complaint is completely baseless. In this case you’re the one doing the grandstanding.
Firefox can’t find the server at schumer.senate.gov.
$ host schumer.senate.gov
;; connection timed out; no servers could be reached
Fail.
Re: Re:
$ dig @sen-dmzp.senate.gov schumer.senate.gov
dig: couldn’t get address for ‘sen-dmzp.senate.gov’: not found
Fail…er.
“(especially when they haven’t quite figured them out themselves)”
is a fitting way to end a post that is also not to keen on the way the internet works. But its just small technical errors on your staffs part, but it does look pretty bad when you are out there grandstanding about grandstanding.
This is why I love Techdirt
This is one of the reasons I love this site. In no time at all the commenters have basically nailed Mike on several different points and added much more information to the story. The folks here don’t seem to have much of a ‘follow whatever Mike says’ tendency.
While I don’t think this is really a story I do think this is an anecdotal situation of a much larger problem. Politicians just deciding to get involved in situations the government has no reason to be in.
Since there aren’t any forms on Schumer’s site that prompt users for personal info AFAICT, HTTPS doesn’t really seem necessary to me.
What does bother me about this is it seems like defamation for Schumer to call out Amazon specifically when Amazon already uses HTTPS for sign-in and checkout. People who don’t know the details of SSL are going to hear this and think they aren’t safe shopping on/signing into Amazon at all. This could boil down to a loss of business for Amazon if people take this as “Amazon is insecure”. I’m not sure what else Schumer wants from Amazon. Does he want browsing of the site to be done through HTTPS as well? If so then Mike is correct, Schumer’s site should be protected by HTTPS too. If he’s really concerned about HTTPS he could redirect http://schumer.senate.gov (which others have pointed out he most likely has no control over) to https://chuckschumer.com/ (which I’m sure he has control over)
Actually…looking at chuckschumer.com there is a place to submit your email address and zip code, and there is no secure option…
Re: Re:
What does bother me about this is it seems like defamation for Schumer to call out Amazon specifically when Amazon already uses HTTPS for sign-in and checkout. People who don’t know the details of SSL are going to hear this and think they aren’t safe shopping on/signing into Amazon at all. This could boil down to a loss of business for Amazon if people take this as “Amazon is insecure”.
Good point.
Schumer’s site should be protected by HTTPS too. If he’s really concerned about HTTPS he could redirect http://schumer.senate.gov (which others have pointed out he most likely has no control over) to https://chuckschumer.com/ (which I’m sure he has control over)
Also a good point.
Re: Re:
Hmmm… I think that I’ll beg to differ:
http://schumer.senate.gov/new_website/contactchuck.cfm
https is misunderstood
Https is for encrypting the connection between the browser and the remote server. Https is not for authentication, as much as the cert authorities want you to confuse the two. There is a tor person blog post about life without a CA that highlights this fact.
Re: https is misunderstood
actually https IS used for authentication and this authentication is in fact a very important part of https. The catch is that the party being authenticated is the web server, rather than the client/end user, by way of it’s certificate.
This is a very important step in preventing a man in the middle attacks. After all, if you have been talking to the wrong party to begin with, no amount of encryption will help you.
This authentication is supposed to be provided by the certificate authorities which signs the individual server certificates to create a “web of trust”. Of course, there are other ways to determine that certificates (like self signed ones) are valid (like issuing your own certificate authority cert, compare fingerprints etc.). If such arrangements for verifying the certificate are in place, using the certificate is perfectly safe, even if it is self-signed or details such as domain name are wrong.
I'm surprised..
that a Senator would even know what “https” stands for, much less what it’s used for or how it works.
Federal Certificate Authorities
The federal government maintains an entire infrastructure of their own Certificate Authorities, none of which are recognized by the folks who make the browsers. As a retired Naval Officer, I access DOD sites all the time and find that my browser is constantly warning me about these sites. One time I attempted to download and install certificates for all of the DOD CAs but locating them all, downloading them and installing them took me about two hours and I swore I’d never do it again.
you all are way overthinking this one.
Simple answer:
Schumer is a grandstanding idiot.
Mike
I’m glad to see you updated the article — but the update is *still* inaccurate. I probably should have been more clear about this in my first comment — the problem isn’t whether sites use SSL during the login or payment phases (this is been considered a best practice for years now). You’ve got to use SSL for the lifetime of the session, at the _very_ least for users on unencrypted wifi where MITM attacks have been made so very easy by tools like firesheep.
Since there’s no way to know which users are on coffee shop wifi it is now considered a best practice to push everyone to SSL. If you don’t believe me download firesheep and see what you can get away with on another user’s amazon account. You may not be able to buy anything but you’ll be able to do quite a bit of damage.