FBI, While Hating On Encryption, Starts Encrypting All Visits To Its Website
from the funny-how-that-works dept
Last week, the Wikimedia Foundation announced that it was moving to encrypting access to all Wikipedia sites via HTTPS. This was really big news, and a long time coming. Wikipedia had been trying to move in this direction for years with fairly slow progress — in part because some in the Wikimedia community had an irrational dislike of HTTPS. Thankfully, the Wikimedia Foundation pushed forward anyway, recognizing that the privacy of what you’re browsing can be quite important.
And yet, I don’t think that was the most significant website shift to HTTPS-by-default in the last week. Instead, that honor has to go to… [drumroll please]… FBI.gov. No, seriously. This may surprise you. After all, this is the very same FBI that just a couple of weeks ago had its assistant director Michael Steinbach tell Congress that companies needed to “prevent encryption above all else.” Really. And it’s the same FBI whose director has been deliberately scaremongering about the evils of encryption. The same director who insisted the world’s foremost cybersecurity experts didn’t understand when they told him that his plan to backdoor encryption was bonkers. The very same FBI who used to recommend mobile encryption to keep your data safe, but quietly deleted that page (the FBI claims it was moved to another site, but…).
But that very same FBI that has spent the past few months disparaging encryption at every opportunity apparently went over to Cloudflare and had the company help it get HTTPS set up. No joke.

Remember how, just last week, the US CIO announced that all federal governments would be moving to HTTPS. Well, thankfully, the CIO’s office is also tracking how well it’s doing. Just yesterday, here’s what it said about FBI.gov:


Either way, kudos to the FBI for letting us encrypt our connections. Now, please don’t get in the way of us encrypting our data as well.
Filed Under: encryption, fbi, fbi.gov, https
Comments on “FBI, While Hating On Encryption, Starts Encrypting All Visits To Its Website”
Next time he starts with his “encryption is evil” nonsense I hope some reporter asks him why is FBI.GOV enforcing encryption then. I picture him starting to foam from his mouth while saying incomprehensible things till his head pops. What I don’t picture is him recognizing he was bullshitting and that encryption is as evil as a pressure cooker. Both can be used for evil but the good uses largely outweighs any bad uses.
Re: Re:
I’m still on the fence about underwear, considering this is now a bomb making material… ¯(°_o)/¯
Re: Re: I'm still on the fence about underwear
Try sitting on a fence without underwear…
FBI isn't against encryption
The FBI is against encryption it can’t get the keys to. Obviously FBI holds the encryption keys to its own website. This post seems to be reaching pretty far.
Re: FBI isn't against encryption
The FBI would never investigate itself so it can and will use encryption all it wants. It just wants to keep encryption away from everyone else.
Re: Re: FBI isn't against encryption
Well, of course there are different rules for demigods.
Re: Re: FBI isn't against encryption
The FBI does not approve the use of encryption.
The FBI website now uses encryption.
Therefore, the FBI did not approve the modifications to its website.
Conclusion? The FBI website has been hacked. Proceed with caution.
Re: FBI isn't against encryption
This isn’t actually obvious. Cloudflare has the keys; it’s possible the FBI doesn’t.
Re: Re: FBI isn't against encryption
Since CloudFlare has the keys, it means that tips dot fbi dot gov can be sniffed by CloudFlare for any reports against them or any of their customers, and suppressed before it makes it to the FBI servers.
Re: FBI isn't against encryption
The FBI is against encryption it can’t get the keys to. Obviously FBI holds the encryption keys to its own website. This post seems to be reaching pretty far.
What part of “So that’s the challenge: working with those companies to build technological solutions to prevent encryption above all else” don’t you understand?
I hate to says this, but SSL, which HTTPS is based, can be cracked, so encrypting the connection to the website will not work.
Before possibly going on one road trip next week, I have been configuring an OpenVPN server on the machine that runs my online radio station, so I can get past Metro/TMobile’s blocking of LT2P and PPTP VPNs.
I was testing this in Taco Bell, which has some of the tightest filtering around. I found I could connect to my server, but it I tried to access a site they were filtering, it would still be blocked. Somehow, Taco Bell has found a way to crack SSL.
If Taco Bell can crack SSL, anybody can. So even SSL/HTTPS visits to the FBI website, or any other website, can be cracked and sniffed.
Re: Taco Layer Security (TLS)
Yes, there are weaknesses, but I must doubt such an allegation when we have no way to verify it. We do not know you have a reputation for doing this right. We do not know where you tested it. We do not know whether they were filtering content (implying they could read and change the stream) or blocking whole netblocks (implying they know where you are going, but not what you are saying).
Cracking SSL/TLS is more trouble than interfering with a plaintext HTTP connection. Using HTTPS can stop some classes of attacks, and makes others more trouble to implement. It is not a perfect solution, but it is better than doing nothing, and it is relatively easy to implement.
Re: Re: Taco Layer Security (TLS)
Yeah, it doesn’t work very well if you don’t do it right. I think I’ll go do some testing at my local Taco Bell and see what’s up.
Re: Re:
Re: Re:
Re: Re: Re:
Yeah, seems like a DNS leak.
I noticed the other day that a mis-typed domain name popped up my ISP’s obnoxious “Couldn’t find that site, so here are some ads instead” page whereas my traffic should have been flowing entirely through my VPN. A quick trip to my VPN software settings fixed the issue.
Re: Re: Re: Countering (some) consequences of ISP DNS hijacking
If your ISP uses a fixed and small set of IP addresses for the answer they give when they should have given NXDOMAIN, I suggest blocking those addresses on your router. I do this, so now I get a “No route to host” error when my ISP tries to send me to an ad-laden interception page. It is not as good as the “No such host” that they should have returned, but it at least prevents unwary applications from connecting to the ISP’s trap server.
Re: Re:
Something’s up here… TLS can be cracked, but not easily — and usually it’s done by the gateway doing a transparent proxy (where you actually connect to IT and it securely connects to your destination) or by the gateway or another device on the network sniffing out your TLS connection attempt and forging a “negotiate to SSL1” packet response — at which point, you’re still encrypted, but the encryption can be cracked without too much work.
The other thing that could be happening here is you could still be using Taco Bell’s DNS resolver. If you just set all your devices to use 8.8.8.8 for DNS, Google will be able to track you, but most domain blocking will vanish — especially over TLS.
So make sure your OpenVPN configuration is set up to NOT fall back to SSL, and is set up to use a trusted DNS (or 8.8.8.8) and not the DNS provided via DHCP by an ISP.
Re: Re: Re:
TLS is usually cracked through a downgrade attack. To protect against that it’s usually requiring a *nix server so you can use TLS_FALLBACK_SCSV, or a client that no longer supports SSLv3, such as the newest FireFox or Chrome. Basically what you do is reject the encryption method of TLSv1, which than downgrades to the hackable SSLv3. The problem also arises when the server is using vulnerable encryption algorithms such as RC4 ciphers. Check out Qualys for some great technical details: https://www.ssllabs.com/
Re: Re:
I’m not sure why you are worried about SSL being insecure. You should be using TLS.
Re: SSL ... can be cracked
That’s why we use TLS nowadays. All versions of SSL as such are obsolete.
Re: Re:
HTTPS doesn’t encrypt the domain name of the HTTP request, so you can implement domain-name-based filters on encrypted traffic. My workplace does this (as do many) to block access to sites they don’t want employees visiting at work, even when those sites use HTTPS.
Re: Re:
Any encryption can be cracked. A matter of time and computing power.
Re: Taco Bell
Were you redirected from a https:// URL to a block page, or did you accidentally enter a http:// URL that got sniffed and redirected?
Or did you just get a browser error?
Either way, did your browser warn you of a certificate failure?
“do what I say or else, while I do the exact opposite” has been the standard for the US governmental agencies for decades now.
Re: Re:
That’s not exactly what’s going on. The fed’s stance has never been that nobody should be able to use encryption. Their stance is that they should get the keys to all the encryption. In this case, they have the keys (since it’s their website).
There is no hypocrisy there. Their position remains consistent.
Is the FBI using some sort of backdoor/frontdoor HTTPS protocol for their website? Or do they just push that crap on other people?
Re: Re:
They don’t need a backdoor to HTTPS for this. The crypto channel encrypts the data between your browser and the website you’re accessing. The website gets the decrypted data. This is the FBI’s website, so they get to see all the traffic to/from it without subverting encryption.
Since only child molesters benefit from encryption, does this mean they have to let a pedophile out of prison every time someone visits fbi.gov?
CloudFlare is a CDN
CloudFlare is a CDN, and the cert as well as http://www.fbi.gov are hosted at CloudFlare. That means public traffic goes through a 3rd party CDN.
That doesn’t mean necessarily that the connection between CloudFlare and the origin is encrypted or not. And it also opens up a whole can of worms of potential pitfalls with caching HTTP headers – potentially leaking not-public information to storage in a public cache.
FBI's site uses FBI compliant encryption
The encryption of fbi dot gov is fully FBI compliant, as it has a backdoor in it called CloudFlare’s servers.
Don’t try to report any crimes committed by CloudFlare on tips dot fbi dot gov since it is also infected with CF.