How Serious Is James Clapper About Cybersecurity When His Office Can't Even Get Its SSL Certificate Right?

from the just-asking dept

James Clapper and the Office of the Director of National Intelligence (ODNI) have been among the loudest FUD-spewers concerning the “threats” to cybersecurity out there, and the need for massively dangerous “cybersecurity” legislation that would really just open up the ability for the Intelligence Community to get more access to private data. However, security researcher and ACLU guy Chris Soghoian noticed yesterday that the SSL security certificate on the ODNI website isn’t even valid:

In response, Soghoian joked: “[ODNI], I’ll make you a deal: You fix your website’s broken encryption cert, and I’ll start to take your cyber fearmongering seriously.”

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “How Serious Is James Clapper About Cybersecurity When His Office Can't Even Get Its SSL Certificate Right?”

Subscribe: RSS Leave a comment
BigKeithO says:

Re: Re: Erm..

“Your connection to is secured with 128-bit encryption. However, this page includes other resources that are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.”


“This page includes a script from unauthenticated sources.”

I’d post a pic but I don’t think that is possible on Techdirt. This warning has been on the site since it went SSL.

Anonymous Coward says:

Re: Re: Re:2 Erm..

I’m seeing it as a yellow, traffic-sign-esque triangle in Chrome on the padlock next to the ‘https://etc.’ The main elements of TD are (I hope) still secure, but the ads and/or 3rd-party elements are unprotected, hence the yellow rather than the more in-your-face red.

Anonymous Coward says:

Re: Re: Re:2 Erm..

The message doesn’t actually display in Chrome or Firefox unless you click the secure connection icon. In Chrome, it should have a yellow triangle to indicate only partial security. And in Firefox, instead of a padlock, it will be a gray triangle-with-an-exclamation point.

It is the ads that are on plain http connections and causing this issue, though. So if you are viewing the site with an ad-blocker, it should actually come up totally secure.

PaulT (profile) says:

Re: Re: Re:2 Erm..

The warning varies. As I understand it, some of the content brought in from external sources (e.g. ads) don’t always comply with the SSL so you might see the Chrome padlock change occasionally from green to yellow. Other browsers will deal with this in different ways, but it will be intermittent depending on what content is served to you, whether you have ad blockers, etc.

Anonymous Coward says:

Re: Re: Re: Erm..

That warning means the ads and/or other third party resources are not being loaded with SSL. If the ad sources have an SSL, then Techdirt can and should connect to them with https. If such connections are not available, though, I don’t think there’s anything Techdirt can do.

jackn says:

Re: Re: Re:4 Erm..

its up to the site owner to ensure their site is operating up to the satisfaction of its users.

If you cannot guarentee all the content on the page (however delivered) isn’t going to be secure, you can remove the third party content or accept that you users are going to get warnings and either avoid your site, complain, or not care.

Imagine you are at amazon trying to check out with a credit card and you got this warning. How would you feel if amazon said, that is the responsiblity of the third parties?

Anonymous Coward says:

Re: Re: Re:5 Erm..

Well, I’m not entering any sensitive info here. Just entering a comment that will be public anyway. Only thing sensitive here is the login info for folks with registered accounts.

And I can check where the form is submitting my data and make sure that that is secure at least.

But I think a more likely point is also a site with a forum with user generated content. Especially one allowing inline images. The forum should use SSL to protect user authentication information. But the users certainly aren’t going to be only using https links in their image tags. So such a forum is guaranteed mixed-content warnings.

Of course that doesn’t apply to Techdirt. No inline images here. The only problem is the advertisers. In this case, the advertisements are part of the Techdirt business model. They cannot be removed without also eliminating what I have been led to believe is an important revenue stream. So the ads have to stay.

Now, there are far more factors than just SSL in choosing who one uses as an advertiser. If the advertiser with the otherwise best deal doesn’t offer SSL, then that puts you in a tight spot, doesn’t it?

In any case, the info actually going to Techdirt still remains secure. So there are only two impacts here:

1. Someone with access to your line can see which advertisements you get. And that’s gonna happen any time you visit a page using the same advertisement system. So nothing to really worry about, unless the advertiser is storing sensitive information in its tracking cookies.

2. Users who don’t know what mixed content warnings indicate might get spooked by the “Caution” indicator in their browser.

Quite frankly, I find the second issue to be of greatest concern, and only for the folks running this site.

Anonymous Coward says:

Re: Re: Re:7 Erm..

Indeed. With that in mind, the Opera approach may be best. Just display it as if there was no SSL at all. It wouldn’t look any different from the majority of unsecured sites out there. And sites that absolutely require the security will continue to avoid mixed content to make sure the padlock does show up.

Anonymous Coward says:

Re: Re: Read

My Chrome doesn’t say anything about elements being insecure. […] I want to know where my local security might be lacking.

Hm, let’s see… You’re using a web browser developed by a for-profit, US-based multinational advertising/surveillance conglomerate/NSA “corporate partner” (i.e., collaborator) and PRISM-participant; your “local security” is mainly lacking in the existence area.

Read about NSA whistle-blower Ed Snowden’s leaks, and read Bruce Schneier’s blog if you’re fool enough to trust Go-Ogle (or any other major US-based tech firms).

John Fenderson (profile) says:

Re: Re: Erm..

It’s the Akamai certificate that doesn’t pass scrutiny. The error is that the name of the techdirt site on the cert does not match the name of the name of the techdirt site itself. I’m guessing this is related to the switch to https, but I haven’t investigated enough to know for certain.

Chrome’s cert checking has a number of holes. Just because it doesn’t flag a cert doesn’t automatically mean the cert is OK.

allengarvin (profile) says:

Re: Re: Re: Erm..

Yes, it’s the switch to https. If you click past the ‘don’t go here’ you won’t even get the site. I explained elsewhere that akamai’s “edgesuite” network which serves 80 is a completely different set of servers than those that serve 443 (which they used to call “edgekey” but now are branded something silly). When you go to https on edgesuite, you’re connecting to their netstorage service. You get this with every akamai customer that’s on their edgesuite network.

hij (profile) says:

This just proves he is right

Do you people not see the real problem? The real problem is that they have to go to all that trouble to secure their own site which only proves that the world is too dangerous, and we need some serious mollycoddlying so that they can keep us safe. That is assuming that they can be bothered to go to that much trouble to do their job. Which, they apparently cannot do. Then again, maybe they use this to find the bad guys:

allengarvin (profile) says:

Eh, I’ve set up a lot of Akamaized sites in the past 15 years. That’s not a real problem: it’s someone who went to an akamaized http site through https. You have to pay extra money to get their SSL versions, and then you have to CNAME your domain to another set of servers, their special SSL servers.

If you put https in front of any site CNAME’d to Akamai that isn’t paying for the extra SSL, you’ll get basically the same error, because it sends you through their old edge network–it supports SSL, but it’s for serving individual assets like images or swfs.

It’s probably historically related to the way they rolled out different offerings. Basically, for this site, they didn’t want to spend a few thousand extra a month for SSL offerings.

Whatever (profile) says:

Re: Re:

Don’t confuse the discussion with things like facts and reality. People are just looking for the fast slam, the caught you moment more than anything real.

It may be that they are in the middle of a transition from direct hosting to using edge providers to give better service and to mitigate attacks on their servers. It’s pretty normal. The SSL certificates will be all screwed up for a while, it’s not a simple job to do when you are handling a network with so many possible exit URLs.

But hey, it’s fun to slam them for trying to make things better, right?

allengarvin (profile) says:

Re: Re: Re:

Akamai is a good way to mitigate attacks, but it’s an expensive one. I’ve just seen this particular error before, because my last company had a pretty deal with Akamai–we got around 7 cents a gig transferred. Not necessarily good compared to other CDNs but pretty good for Akamai. We would see this error because we’d get customers on Akamai, and then they’d do a security scan, it would come back highlighting that the SSL cert didn’t match, and asked to fix it. Then, we’d say, ok, just pay for an Akamaized SSL site, which will cost you 5 times as much, plus you have to use Akamai as your SSL vendor, which makes netsol look cheap, and then they’d come back and say “no thanks”.

I found some other sites that will give you the same error:

You can tell which sites are on the Akamai SSL network by seeing what they’re CNAME’d to. If it’s, it’ll give a cert error. If it’s, it’s good:

[agarvin@atg-home logs]$ dig +short
[agarvin@atg-home logs]$ dig +short
Note this domain:
[agarvin@atg-home logs]$ dig +short

Look at the cert with openssl s_client and you’ll see the CN is for

Whatever (profile) says:

Re: Re: Re: Re:

Oh, you have none

Trying to pick a fight? You lose every time.

Fact: They are using akamai.
Fact: In a transition time, their existing certificate would not be accurate.
Fact: Their site is still secure, and in fact is likely more secure as a result of a move to use Akamai.

Your facts? name calling. Yup, you lost again.

Whatever (profile) says:

Re: Re: Re:3 Re:

There is a lot of potential reasons why caching / edge services tend to help security. The biggest in general is that it’s much harder for people to DDoS the site, unless they know it’s original IP and attack it directly that way. Otherwise, their web traffic is generally sent to the cache, which acts as a sink (a really big one).

Not sure about Akamai itself, but similar services will also sink or stop attempts to connect ssh, ftp, mail, and the like, removing the burden entirely from your servers – at least for people who try to connect by name rather than IP.

Basically, the fewer people who interact directly with your server, the less chance of problems.

John Fenderson (profile) says:

Re: Re: Re:4 Re:

DDOS doesn’t count as a security problem in the sense being discussed here. Such attacks don’t result in a security breach or the exposure of secure data.

As to stopping connections to ssh, etc., that’s beyond trivial to do in the first place by just not running those servers. It takes more technical expertise to set up the servers than to not set them up, so the technically clueless are already safe on those fronts by default.

On your last point, that’s true but the increased security you get that way is pretty minimal.

On the flip side, if you’re relying on an edge provider to enhance your security, you’re making a security trade-off. Those providers are well known, desirable attack vectors and draw the attention of far more, and far more skilled, crackers than your servers are likely to draw. And once they’re hacked, all servers using them become vulnerable.

Edge providers are very useful for traffic management, but thinking that using them gives a security benefit beyond what you can easily do for yourself is dubious at best.

Cpt Feathersword says:

A man-in-the-middle attack? Against ODNI? By NSA?

One of NSA’s clever tricks is to redirect traffic to go through a snoop node before it gets to the server. The snoop node pretends to be the real server and presents a forged SSL certificate so that it can decrypt both sides of the conversation. Browsers may detect the fake certificate and give a warning, but most users pay no attention and just click on through.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...