How Serious Is James Clapper About Cybersecurity When His Office Can't Even Get Its SSL Certificate Right?

from the just-asking dept

James Clapper and the Office of the Director of National Intelligence (ODNI) have been among the loudest FUD-spewers concerning the "threats" to cybersecurity out there, and the need for massively dangerous "cybersecurity" legislation that would really just open up the ability for the Intelligence Community to get more access to private data. However, security researcher and ACLU guy Chris Soghoian noticed yesterday that the SSL security certificate on the ODNI website isn't even valid:
In response, Soghoian joked: "[ODNI], I'll make you a deal: You fix your website's broken encryption cert, and I'll start to take your cyber fearmongering seriously."

Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Ninja (profile), Jul 24th, 2014 @ 6:42am

    He doesn't care about cybersecurity. That's not their real agenda.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Rabbit80 (profile), Jul 24th, 2014 @ 6:55am

    Erm..

    You realise there is still a problem with the SSL here on Techdirt right?? According to Chrome there are still elements that are not secure! Opera throws an error about akamai technologies when I try to visit TD.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Jul 24th, 2014 @ 7:56am

    Re: Erm..

    Techdirt isn't a "cybersecurity" website. And its SSL certificate is valid.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    Chronno S. Trigger (profile), Jul 24th, 2014 @ 8:00am

    Re: Erm..

    Where do you see that? My Chrome doesn't say anything about elements being insecure. This is a legitimate question not sarcasm. I want to know where my local security might be lacking.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Jul 24th, 2014 @ 8:02am

    Just use addons everyone should be using and you'll be fine.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Jul 24th, 2014 @ 8:05am

    I get a certificate popup every time I visit TechDirt on my Android phone.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    beech, Jul 24th, 2014 @ 8:15am

    Response to: Anonymous Coward on Jul 24th, 2014 @ 8:05am

    I get a security warning occasionally on my android...I think it happens when there's a .pdf on a page

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    BigKeithO, Jul 24th, 2014 @ 8:16am

    Re: Re: Erm..

    "Your connection to www.techdirt.com is secured with 128-bit encryption. However, this page includes other resources that are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page."

    and

    "This page includes a script from unauthenticated sources."

    I'd post a pic but I don't think that is possible on Techdirt. This warning has been on the site since it went SSL.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    beech, Jul 24th, 2014 @ 8:17am

    Buy guys, if he properly encrypted his site it would make it harder for the nsa to protect him from terrorists!

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Jul 24th, 2014 @ 8:19am

    ODNI is what you would refer to as an 'anti role model'

    Do the opposite of what it recommends

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Chronno S. Trigger (profile), Jul 24th, 2014 @ 8:24am

    Re: Re: Re: Erm..

    I didn't ask what warning, I asked where. I'm not seeing this anywhere in Chrome or Firefox. Where do I see this message?

    And keep in mind that if you use a proxy, it can screw with SSL connections.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Jul 24th, 2014 @ 8:28am

    Re: Re: Re: Erm..

    That warning means the ads and/or other third party resources are not being loaded with SSL. If the ad sources have an SSL, then Techdirt can and should connect to them with https. If such connections are not available, though, I don't think there's anything Techdirt can do.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Jul 24th, 2014 @ 8:29am

    Worse when i go look

    Well, when I go look at the base URL I get something worse - lol:

    http://tinypic.com/r/15ft9qx/8

    Which says they (may be) trying to steal my information

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Jul 24th, 2014 @ 8:40am

    To be fair, TD did have a "not all content is secured" for a while.....

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Rabbit80 (profile), Jul 24th, 2014 @ 8:56am

    Re: Re: Re: Re: Erm..

    On mine, the padlock symbol on the address bar has a warning symbol. Opera plain refuses to open the page unless I OK the warning.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Rabbit80 (profile), Jul 24th, 2014 @ 8:57am

    Re: Re: Erm..

    I never said the cert was invalid. I said "there is still a problem with SSL here on Techdirt"

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    hij (profile), Jul 24th, 2014 @ 9:02am

    This just proves he is right

    Do you people not see the real problem? The real problem is that they have to go to all that trouble to secure their own site which only proves that the world is too dangerous, and we need some serious mollycoddlying so that they can keep us safe. That is assuming that they can be bothered to go to that much trouble to do their job. Which, they apparently cannot do. Then again, maybe they use this to find the bad guys: http://www.cyclismo.org/cgi-bin/spirit.cgi

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    Rocco Maglio (profile), Jul 24th, 2014 @ 10:09am

    It is not configured for https

    When I go to https://www.dni.gov/ and I accept the bad cert it does not take me to the site. It takes you to a page that says the site is down. They are using akamai as a CDN and have not configured it for https access.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Jul 24th, 2014 @ 10:14am

    Is this the guy that charges $1 million for his "cybersecurity expertise"?

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    allengarvin (profile), Jul 24th, 2014 @ 10:27am

    Eh, I've set up a lot of Akamaized sites in the past 15 years. That's not a real problem: it's someone who went to an akamaized http site through https. You have to pay extra money to get their SSL versions, and then you have to CNAME your domain to another set of servers, their special SSL servers.

    If you put https in front of any site CNAME'd to Akamai that isn't paying for the extra SSL, you'll get basically the same error, because it sends you through their old edge network--it supports SSL, but it's for serving individual assets like images or swfs.

    It's probably historically related to the way they rolled out different offerings. Basically, for this site, they didn't want to spend a few thousand extra a month for SSL offerings.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    jackn, Jul 24th, 2014 @ 10:32am

    Re: Re: Re: Re: Erm..

    They could not place ssl with non-ssl. thats basic stuff.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Jul 24th, 2014 @ 10:33am

    Re: Re: Re: Re: Erm..

    oh, i am sure he sorry. The message appears on the screen, have you checked your screen?

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    jackn, Jul 24th, 2014 @ 10:34am

    Re:

    thanks for the security pro-tip!

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Cpt Feathersword, Jul 24th, 2014 @ 10:36am

    A man-in-the-middle attack? Against ODNI? By NSA?

    One of NSA's clever tricks is to redirect traffic to go through a snoop node before it gets to the server. The snoop node pretends to be the real server and presents a forged SSL certificate so that it can decrypt both sides of the conversation. Browsers may detect the fake certificate and give a warning, but most users pay no attention and just click on through.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Jul 24th, 2014 @ 10:53am

    Re: Re: Re: Re: Erm..

    I'm seeing it as a yellow, traffic-sign-esque triangle in Chrome on the padlock next to the 'https://etc.' The main elements of TD are (I hope) still secure, but the ads and/or 3rd-party elements are unprotected, hence the yellow rather than the more in-your-face red.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Jul 24th, 2014 @ 10:53am

    he's not really into cybersecurity this is about collection , threat management /assessment, and good ole blackmail.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Jul 24th, 2014 @ 10:57am

    Re: Re: Re: Re: Re: Erm..

    also no proxy, just HTTPS Everywhere and blocking 3rd-party cookies, but it remains present when I disable those.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Jul 24th, 2014 @ 11:22am

    Re: Re: Re: Re: Re: Erm..

    Assuming that the content you need is available with an SSL connection, sure. But when your site makes third-party requests, you cannot guarantee all your content is available with SSL. That's up to the third party.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Jul 24th, 2014 @ 11:29am

    Re: Re: Re: Re: Erm..

    The message doesn't actually display in Chrome or Firefox unless you click the secure connection icon. In Chrome, it should have a yellow triangle to indicate only partial security. And in Firefox, instead of a padlock, it will be a gray triangle-with-an-exclamation point.

    It is the ads that are on plain http connections and causing this issue, though. So if you are viewing the site with an ad-blocker, it should actually come up totally secure.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Jul 24th, 2014 @ 11:31am

    Re: Re: Re: Re: Re: Erm..

    Funny, Opera for me just plain shows it as an "insecure" site as if it didn't use SSL at all.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    jackn, Jul 24th, 2014 @ 12:49pm

    Re: Re: Re: Re: Re: Re: Erm..

    its up to the site owner to ensure their site is operating up to the satisfaction of its users.

    If you cannot guarentee all the content on the page (however delivered) isn't going to be secure, you can remove the third party content or accept that you users are going to get warnings and either avoid your site, complain, or not care.

    Imagine you are at amazon trying to check out with a credit card and you got this warning. How would you feel if amazon said, that is the responsiblity of the third parties?

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Jul 24th, 2014 @ 2:05pm

    Re: Re: Re: Re: Re: Re: Re: Erm..

    Well, I'm not entering any sensitive info here. Just entering a comment that will be public anyway. Only thing sensitive here is the login info for folks with registered accounts.

    And I can check where the form is submitting my data and make sure that that is secure at least.

    But I think a more likely point is also a site with a forum with user generated content. Especially one allowing inline images. The forum should use SSL to protect user authentication information. But the users certainly aren't going to be only using https links in their image tags. So such a forum is guaranteed mixed-content warnings.

    Of course that doesn't apply to Techdirt. No inline images here. The only problem is the advertisers. In this case, the advertisements are part of the Techdirt business model. They cannot be removed without also eliminating what I have been led to believe is an important revenue stream. So the ads have to stay.

    Now, there are far more factors than just SSL in choosing who one uses as an advertiser. If the advertiser with the otherwise best deal doesn't offer SSL, then that puts you in a tight spot, doesn't it?

    In any case, the info actually going to Techdirt still remains secure. So there are only two impacts here:

    1. Someone with access to your line can see which advertisements you get. And that's gonna happen any time you visit a page using the same advertisement system. So nothing to really worry about, unless the advertiser is storing sensitive information in its tracking cookies.

    2. Users who don't know what mixed content warnings indicate might get spooked by the "Caution" indicator in their browser.

    Quite frankly, I find the second issue to be of greatest concern, and only for the folks running this site.

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    Rabbit80 (profile), Jul 24th, 2014 @ 3:38pm

    Re: Re: Re: Re: Re: Re: Re: Re: Erm..

    The problem as I see it with mixed content warnings is that as the average user can not tell which parts are secure and which are not, if they start seeing this warning on trusted sites they will learn to ignore the warning on any site. This ultimately leads to a less secure internet.

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    Whatever (profile), Jul 24th, 2014 @ 7:30pm

    Re:

    Don't confuse the discussion with things like facts and reality. People are just looking for the fast slam, the caught you moment more than anything real.

    It may be that they are in the middle of a transition from direct hosting to using edge providers to give better service and to mitigate attacks on their servers. It's pretty normal. The SSL certificates will be all screwed up for a while, it's not a simple job to do when you are handling a network with so many possible exit URLs.

    But hey, it's fun to slam them for trying to make things better, right?

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    allengarvin (profile), Jul 24th, 2014 @ 8:12pm

    Re: Re:

    Akamai is a good way to mitigate attacks, but it's an expensive one. I've just seen this particular error before, because my last company had a pretty deal with Akamai--we got around 7 cents a gig transferred. Not necessarily good compared to other CDNs but pretty good for Akamai. We would see this error because we'd get customers on Akamai, and then they'd do a security scan, it would come back highlighting that the SSL cert didn't match, and asked to fix it. Then, we'd say, ok, just pay for an Akamaized SSL site, which will cost you 5 times as much, plus you have to use Akamai as your SSL vendor, which makes netsol look cheap, and then they'd come back and say "no thanks".

    I found some other sites that will give you the same error:
    https://www.pepsi.com
    https://www.mountaindew.com

    You can tell which sites are on the Akamai SSL network by seeing what they're CNAME'd to. If it's edgesuite.net, it'll give a cert error. If it's edgekey.net, it's good:

    [agarvin@atg-home logs]$ dig +short www.pepsi.com
    www.pepsi.com.edgesuite.net.
    [agarvin@atg-home logs]$ dig +short www.aa.com
    aa.com.edgekey.net.
    Note this domain:
    [agarvin@atg-home logs]$ dig +short www.dni.gov
    www.dni.gov.edgesuite.net.

    Look at the cert with openssl s_client and you'll see the CN is for a248.e.akamai.net.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Androgynous Cowherd, Jul 24th, 2014 @ 10:33pm

    Java is affected too

    download.oracle.com gives the same security error. And it names the exact same domain as the one masquerading as download.oracle.com as apparently is masquerading as www.dni.gov: a248.e.akamai.net.

    Widespread MITM attack on security-sensitive sites? DNI, downloads for the (often buggy) Java plugin ...

     

    reply to this | link to this | view in thread ]

  37.  
    icon
    PaulT (profile), Jul 25th, 2014 @ 12:54am

    Re: Re: Re: Re: Erm..

    The warning varies. As I understand it, some of the content brought in from external sources (e.g. ads) don't always comply with the SSL so you might see the Chrome padlock change occasionally from green to yellow. Other browsers will deal with this in different ways, but it will be intermittent depending on what content is served to you, whether you have ad blockers, etc.

     

    reply to this | link to this | view in thread ]

  38.  
    icon
    PaulT (profile), Jul 25th, 2014 @ 12:55am

    Re: Re: Re: Re: Re: Re: Re: Erm..

    "Imagine you are at amazon trying to check out with a credit card and you got this warning."

    You surely understand the massive grand canyon-sized difference between that example and people viewing an opinion blog, right?

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    PaulT (profile), Jul 25th, 2014 @ 12:59am

    Re: Re:

    "Don't confuse the discussion with things like facts and reality."

    We don't mind that, what are the facts?

    "It may be..."

    Oh, you have none, you just wanted to inject a random theory that might allow you to white knight someone criticised in the article? Never mind.

     

    reply to this | link to this | view in thread ]

  40.  
    icon
    PaulT (profile), Jul 25th, 2014 @ 1:01am

    Re:

    That's a fair comment, but it's still a poor showing for the official site for a national security agency to be showing as potentially insecure, whatever the reason.

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Anonymous Coward, Jul 25th, 2014 @ 5:36am

    SOP for the GOV

    A LOT of GOVernment sites have invalid certs. This seems to be SOP.

     

    reply to this | link to this | view in thread ]

  42.  
    identicon
    Anonymous Coward, Jul 25th, 2014 @ 5:42am

    Re: Re: Re: Re: Re: Re: Re: Re: Re: Erm..

    Indeed. With that in mind, the Opera approach may be best. Just display it as if there was no SSL at all. It wouldn't look any different from the majority of unsecured sites out there. And sites that absolutely require the security will continue to avoid mixed content to make sure the padlock does show up.

     

    reply to this | link to this | view in thread ]

  43.  
    identicon
    Anonymous Coward, Jul 25th, 2014 @ 6:16am

    Im sorry the whole thing here is based around trusting the CERT authorities , maybe the Government does trust them. Moxie says they cant be trusted, certs are copied and passed around if that is the case then a self signed cert like this is more secure

     

    reply to this | link to this | view in thread ]

  44.  
    identicon
    Anonymous Coward, Jul 25th, 2014 @ 6:36am

    Moxie Marlinspike google read and watch video's and in a few minutes you we see SSL is broken and useless

    https://www.youtube.com/watch?v=pDmj_xe7EIQ

     

    reply to this | link to this | view in thread ]

  45.  
    icon
    Whatever (profile), Jul 25th, 2014 @ 7:54am

    Re: Re: Re:

    Oh, you have none

    Trying to pick a fight? You lose every time.

    Fact: They are using akamai.
    Fact: In a transition time, their existing certificate would not be accurate.
    Fact: Their site is still secure, and in fact is likely more secure as a result of a move to use Akamai.

    Your facts? name calling. Yup, you lost again.

     

    reply to this | link to this | view in thread ]

  46.  
    icon
    John Fenderson (profile), Jul 25th, 2014 @ 8:17am

    Re: Re: Re: Re:

    "is likely more secure as a result of a move to use Akamai."

    How so?

     

    reply to this | link to this | view in thread ]

  47.  
    icon
    Whatever (profile), Jul 25th, 2014 @ 8:22pm

    Re: Re: Re: Re: Re:

    There is a lot of potential reasons why caching / edge services tend to help security. The biggest in general is that it's much harder for people to DDoS the site, unless they know it's original IP and attack it directly that way. Otherwise, their web traffic is generally sent to the cache, which acts as a sink (a really big one).

    Not sure about Akamai itself, but similar services will also sink or stop attempts to connect ssh, ftp, mail, and the like, removing the burden entirely from your servers - at least for people who try to connect by name rather than IP.

    http://www.akamai.com/html/solutions/security-services.html

    Basically, the fewer people who interact directly with your server, the less chance of problems.

     

    reply to this | link to this | view in thread ]

  48.  
    icon
    John Fenderson (profile), Jul 26th, 2014 @ 4:49pm

    Re: Re: Re: Re: Re: Re:

    DDOS doesn't count as a security problem in the sense being discussed here. Such attacks don't result in a security breach or the exposure of secure data.

    As to stopping connections to ssh, etc., that's beyond trivial to do in the first place by just not running those servers. It takes more technical expertise to set up the servers than to not set them up, so the technically clueless are already safe on those fronts by default.

    On your last point, that's true but the increased security you get that way is pretty minimal.

    On the flip side, if you're relying on an edge provider to enhance your security, you're making a security trade-off. Those providers are well known, desirable attack vectors and draw the attention of far more, and far more skilled, crackers than your servers are likely to draw. And once they're hacked, all servers using them become vulnerable.

    Edge providers are very useful for traffic management, but thinking that using them gives a security benefit beyond what you can easily do for yourself is dubious at best.

     

    reply to this | link to this | view in thread ]

  49.  
    identicon
    Anonymous Coward, Jul 27th, 2014 @ 10:51pm

    Read

    My Chrome doesn't say anything about elements being insecure. [...] I want to know where my local security might be lacking.


    Hm, let's see... You're using a web browser developed by a for-profit, US-based multinational advertising/surveillance conglomerate/NSA "corporate partner" (i.e., collaborator) and PRISM-participant; your "local security" is mainly lacking in the existence area.

    Read about NSA whistle-blower Ed Snowden's leaks, and read Bruce Schneier's blog if you're fool enough to trust Go-Ogle (or any other major US-based tech firms).

     

    reply to this | link to this | view in thread ]

  50.  
    icon
    John Fenderson (profile), Jul 28th, 2014 @ 8:32am

    Re: Re: Erm..

    It's the Akamai certificate that doesn't pass scrutiny. The error is that the name of the techdirt site on the cert does not match the name of the name of the techdirt site itself. I'm guessing this is related to the switch to https, but I haven't investigated enough to know for certain.

    Chrome's cert checking has a number of holes. Just because it doesn't flag a cert doesn't automatically mean the cert is OK.

     

    reply to this | link to this | view in thread ]

  51.  
    icon
    allengarvin (profile), Jul 28th, 2014 @ 9:09am

    Re: Re: Re: Erm..

    Yes, it's the switch to https. If you click past the 'don't go here' you won't even get the site. I explained elsewhere that akamai's "edgesuite" network which serves 80 is a completely different set of servers than those that serve 443 (which they used to call "edgekey" but now are branded something silly). When you go to https on edgesuite, you're connecting to their netstorage service. You get this with *every* akamai customer that's on their edgesuite network.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.