FBI, While Hating On Encryption, Starts Encrypting All Visits To Its Website

from the funny-how-that-works dept

Last week, the Wikimedia Foundation announced that it was moving to encrypting access to all Wikipedia sites via HTTPS. This was really big news, and a long time coming. Wikipedia had been trying to move in this direction for years with fairly slow progress — in part because some in the Wikimedia community had an irrational dislike of HTTPS. Thankfully, the Wikimedia Foundation pushed forward anyway, recognizing that the privacy of what you’re browsing can be quite important.

And yet, I don’t think that was the most significant website shift to HTTPS-by-default in the last week. Instead, that honor has to go to… [drumroll please]… FBI.gov. No, seriously. This may surprise you. After all, this is the very same FBI that just a couple of weeks ago had its assistant director Michael Steinbach tell Congress that companies needed to “prevent encryption above all else.” Really. And it’s the same FBI whose director has been deliberately scaremongering about the evils of encryption. The same director who insisted the world’s foremost cybersecurity experts didn’t understand when they told him that his plan to backdoor encryption was bonkers. The very same FBI who used to recommend mobile encryption to keep your data safe, but quietly deleted that page (the FBI claims it was moved to another site, but…).

But that very same FBI that has spent the past few months disparaging encryption at every opportunity apparently went over to Cloudflare and had the company help it get HTTPS set up. No joke.

The FBI.gov site now automatically pushes you to an encrypted connection. Because, no matter what the FBI says, encryption is good. And the FBI’s techies know that.

Remember how, just last week, the US CIO announced that all federal governments would be moving to HTTPS. Well, thankfully, the CIO’s office is also tracking how well it’s doing. Just yesterday, here’s what it said about FBI.gov:

And, here’s what it says now:
(If you’re interested, you can see the pull request at Github that has the change as well).

Either way, kudos to the FBI for letting us encrypt our connections. Now, please don’t get in the way of us encrypting our data as well.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FBI, While Hating On Encryption, Starts Encrypting All Visits To Its Website”

Subscribe: RSS Leave a comment
Ninja (profile) says:

Next time he starts with his “encryption is evil” nonsense I hope some reporter asks him why is FBI.GOV enforcing encryption then. I picture him starting to foam from his mouth while saying incomprehensible things till his head pops. What I don’t picture is him recognizing he was bullshitting and that encryption is as evil as a pressure cooker. Both can be used for evil but the good uses largely outweighs any bad uses.

Anonymous Coward says:

Re: FBI isn't against encryption

The FBI is against encryption it can’t get the keys to. Obviously FBI holds the encryption keys to its own website. This post seems to be reaching pretty far.

What part of “So that’s the challenge: working with those companies to build technological solutions to prevent encryption above all else” don’t you understand?

Anonymous Coward says:

I hate to says this, but SSL, which HTTPS is based, can be cracked, so encrypting the connection to the website will not work.

Before possibly going on one road trip next week, I have been configuring an OpenVPN server on the machine that runs my online radio station, so I can get past Metro/TMobile’s blocking of LT2P and PPTP VPNs.

I was testing this in Taco Bell, which has some of the tightest filtering around. I found I could connect to my server, but it I tried to access a site they were filtering, it would still be blocked. Somehow, Taco Bell has found a way to crack SSL.

If Taco Bell can crack SSL, anybody can. So even SSL/HTTPS visits to the FBI website, or any other website, can be cracked and sniffed.

Anonymous Coward says:

Re: Taco Layer Security (TLS)

Yes, there are weaknesses, but I must doubt such an allegation when we have no way to verify it. We do not know you have a reputation for doing this right. We do not know where you tested it. We do not know whether they were filtering content (implying they could read and change the stream) or blocking whole netblocks (implying they know where you are going, but not what you are saying).

Cracking SSL/TLS is more trouble than interfering with a plaintext HTTP connection. Using HTTPS can stop some classes of attacks, and makes others more trouble to implement. It is not a perfect solution, but it is better than doing nothing, and it is relatively easy to implement.

Anonymous Coward says:

Re: Re:

I was testing this in Taco Bell, which has some of the tightest filtering around. I found I could connect to my server, but it I tried to access a site they were filtering, it would still be blocked. Somehow, Taco Bell has found a way to crack SSL.

Or, more simply, your DNS requests went over the local link instead of over the VPN (or they went over both but the local link answered first), and they are doing a DNS-based block. When you see hoofprints, think horses, not zebras.

Anonymous Coward says:

Re: Re: Re: Countering (some) consequences of ISP DNS hijacking

If your ISP uses a fixed and small set of IP addresses for the answer they give when they should have given NXDOMAIN, I suggest blocking those addresses on your router. I do this, so now I get a “No route to host” error when my ISP tries to send me to an ad-laden interception page. It is not as good as the “No such host” that they should have returned, but it at least prevents unwary applications from connecting to the ISP’s trap server.

Anonymous Coward says:

Re: Re:

Something’s up here… TLS can be cracked, but not easily — and usually it’s done by the gateway doing a transparent proxy (where you actually connect to IT and it securely connects to your destination) or by the gateway or another device on the network sniffing out your TLS connection attempt and forging a “negotiate to SSL1” packet response — at which point, you’re still encrypted, but the encryption can be cracked without too much work.

The other thing that could be happening here is you could still be using Taco Bell’s DNS resolver. If you just set all your devices to use for DNS, Google will be able to track you, but most domain blocking will vanish — especially over TLS.

So make sure your OpenVPN configuration is set up to NOT fall back to SSL, and is set up to use a trusted DNS (or and not the DNS provided via DHCP by an ISP.

Anonymous Coward says:

Re: Re: Re:

TLS is usually cracked through a downgrade attack. To protect against that it’s usually requiring a *nix server so you can use TLS_FALLBACK_SCSV, or a client that no longer supports SSLv3, such as the newest FireFox or Chrome. Basically what you do is reject the encryption method of TLSv1, which than downgrades to the hackable SSLv3. The problem also arises when the server is using vulnerable encryption algorithms such as RC4 ciphers. Check out Qualys for some great technical details: https://www.ssllabs.com/

Joshua Ginsberg (user link) says:

CloudFlare is a CDN

CloudFlare is a CDN, and the cert as well as http://www.fbi.gov are hosted at CloudFlare. That means public traffic goes through a 3rd party CDN.

That doesn’t mean necessarily that the connection between CloudFlare and the origin is encrypted or not. And it also opens up a whole can of worms of potential pitfalls with caching HTTP headers – potentially leaking not-public information to storage in a public cache.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...