FBI, While Hating On Encryption, Starts Encrypting All Visits To Its Website

from the funny-how-that-works dept

Last week, the Wikimedia Foundation announced that it was moving to encrypting access to all Wikipedia sites via HTTPS. This was really big news, and a long time coming. Wikipedia had been trying to move in this direction for years with fairly slow progress -- in part because some in the Wikimedia community had an irrational dislike of HTTPS. Thankfully, the Wikimedia Foundation pushed forward anyway, recognizing that the privacy of what you're browsing can be quite important.

And yet, I don't think that was the most significant website shift to HTTPS-by-default in the last week. Instead, that honor has to go to... [drumroll please]... FBI.gov. No, seriously. This may surprise you. After all, this is the very same FBI that just a couple of weeks ago had its assistant director Michael Steinbach tell Congress that companies needed to "prevent encryption above all else." Really. And it's the same FBI whose director has been deliberately scaremongering about the evils of encryption. The same director who insisted the world's foremost cybersecurity experts didn't understand when they told him that his plan to backdoor encryption was bonkers. The very same FBI who used to recommend mobile encryption to keep your data safe, but quietly deleted that page (the FBI claims it was moved to another site, but...).

But that very same FBI that has spent the past few months disparaging encryption at every opportunity apparently went over to Cloudflare and had the company help it get HTTPS set up. No joke.
The FBI.gov site now automatically pushes you to an encrypted connection. Because, no matter what the FBI says, encryption is good. And the FBI's techies know that.

Remember how, just last week, the US CIO announced that all federal governments would be moving to HTTPS. Well, thankfully, the CIO's office is also tracking how well it's doing. Just yesterday, here's what it said about FBI.gov:
And, here's what it says now:
(If you're interested, you can see the pull request at Github that has the change as well).

Either way, kudos to the FBI for letting us encrypt our connections. Now, please don't get in the way of us encrypting our data as well.

Filed Under: encryption, fbi, fbi.gov, https


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 16 Jun 2015 @ 10:37am

    Next time he starts with his "encryption is evil" nonsense I hope some reporter asks him why is FBI.GOV enforcing encryption then. I picture him starting to foam from his mouth while saying incomprehensible things till his head pops. What I don't picture is him recognizing he was bullshitting and that encryption is as evil as a pressure cooker. Both can be used for evil but the good uses largely outweighs any bad uses.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jun 2015 @ 10:47am

    FBI isn't against encryption

    The FBI is against encryption it can't get the keys to. Obviously FBI holds the encryption keys to its own website. This post seems to be reaching pretty far.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jun 2015 @ 11:06am

      Re: FBI isn't against encryption

      The FBI would never investigate itself so it can and will use encryption all it wants. It just wants to keep encryption away from everyone else.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Jun 2015 @ 12:12pm

        Re: Re: FBI isn't against encryption

        Well, of course there are different rules for demigods.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Jun 2015 @ 12:14pm

        Re: Re: FBI isn't against encryption

        The FBI does not approve the use of encryption.
        The FBI website now uses encryption.
        Therefore, the FBI did not approve the modifications to its website.

        Conclusion? The FBI website has been hacked. Proceed with caution.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jun 2015 @ 12:15pm

      Re: FBI isn't against encryption

      The FBI is against encryption it can't get the keys to. Obviously FBI holds the encryption keys to its own website.
      This isn't actually obvious. Cloudflare has the keys; it's possible the FBI doesn't.

      reply to this | link to this | view in chronology ]

      • identicon
        William, 7 Jan 2016 @ 3:19pm

        Re: Re: FBI isn't against encryption

        Since CloudFlare has the keys, it means that tips dot fbi dot gov can be sniffed by CloudFlare for any reports against them or any of their customers, and suppressed before it makes it to the FBI servers.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jun 2015 @ 1:50pm

      Re: FBI isn't against encryption

      The FBI is against encryption it can't get the keys to. Obviously FBI holds the encryption keys to its own website. This post seems to be reaching pretty far.

      What part of "So that’s the challenge: working with those companies to build technological solutions to prevent encryption above all else" don't you understand?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jun 2015 @ 11:16am

    I hate to says this, but SSL, which HTTPS is based, can be cracked, so encrypting the connection to the website will not work.

    Before possibly going on one road trip next week, I have been configuring an OpenVPN server on the machine that runs my online radio station, so I can get past Metro/TMobile's blocking of LT2P and PPTP VPNs.

    I was testing this in Taco Bell, which has some of the tightest filtering around. I found I could connect to my server, but it I tried to access a site they were filtering, it would still be blocked. Somehow, Taco Bell has found a way to crack SSL.

    If Taco Bell can crack SSL, anybody can. So even SSL/HTTPS visits to the FBI website, or any other website, can be cracked and sniffed.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jun 2015 @ 11:29am

      Re: Taco Layer Security (TLS)

      Yes, there are weaknesses, but I must doubt such an allegation when we have no way to verify it. We do not know you have a reputation for doing this right. We do not know where you tested it. We do not know whether they were filtering content (implying they could read and change the stream) or blocking whole netblocks (implying they know where you are going, but not what you are saying).

      Cracking SSL/TLS is more trouble than interfering with a plaintext HTTP connection. Using HTTPS can stop some classes of attacks, and makes others more trouble to implement. It is not a perfect solution, but it is better than doing nothing, and it is relatively easy to implement.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Jun 2015 @ 12:17pm

        Re: Re: Taco Layer Security (TLS)

        Yeah, it doesn't work very well if you don't do it right. I think I'll go do some testing at my local Taco Bell and see what's up.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jun 2015 @ 11:45am

      Re:

      >Taco Bell, which has some of the tightest filtering around

      Is there some crowdsourced place to find out information about public wi-fi? That would be interesting.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jun 2015 @ 12:29pm

      Re:

      > I was testing this in Taco Bell, which has some of the tightest filtering around. I found I could connect to my server, but it I tried to access a site they were filtering, it would still be blocked. Somehow, Taco Bell has found a way to crack SSL.

      Or, more simply, your DNS requests went over the local link instead of over the VPN (or they went over both but the local link answered first), and they are doing a DNS-based block. When you see hoofprints, think horses, not zebras.

      reply to this | link to this | view in chronology ]

      • icon
        Chris Rhodes (profile), 16 Jun 2015 @ 1:06pm

        Re: Re:

        Yeah, seems like a DNS leak.

        I noticed the other day that a mis-typed domain name popped up my ISP's obnoxious "Couldn't find that site, so here are some ads instead" page whereas my traffic should have been flowing entirely through my VPN. A quick trip to my VPN software settings fixed the issue.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 16 Jun 2015 @ 1:10pm

          Re: Re: Re: Countering (some) consequences of ISP DNS hijacking

          If your ISP uses a fixed and small set of IP addresses for the answer they give when they should have given NXDOMAIN, I suggest blocking those addresses on your router. I do this, so now I get a "No route to host" error when my ISP tries to send me to an ad-laden interception page. It is not as good as the "No such host" that they should have returned, but it at least prevents unwary applications from connecting to the ISP's trap server.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jun 2015 @ 4:46pm

      Re:

      Something's up here... TLS *can* be cracked, but not easily -- and usually it's done by the gateway doing a transparent proxy (where you actually connect to IT and it securely connects to your destination) or by the gateway or another device on the network sniffing out your TLS connection attempt and forging a "negotiate to SSL1" packet response -- at which point, you're still encrypted, but the encryption can be cracked without too much work.

      The other thing that could be happening here is you could still be using Taco Bell's DNS resolver. If you just set all your devices to use 8.8.8.8 for DNS, Google will be able to track you, but most domain blocking will vanish -- especially over TLS.

      So make sure your OpenVPN configuration is set up to NOT fall back to SSL, and is set up to use a trusted DNS (or 8.8.8.8) and not the DNS provided via DHCP by an ISP.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Jun 2015 @ 5:02pm

        Re: Re:

        TLS is usually cracked through a downgrade attack. To protect against that it's usually requiring a *nix server so you can use TLS_FALLBACK_SCSV, or a client that no longer supports SSLv3, such as the newest FireFox or Chrome. Basically what you do is reject the encryption method of TLSv1, which than downgrades to the hackable SSLv3. The problem also arises when the server is using vulnerable encryption algorithms such as RC4 ciphers. Check out Qualys for some great technical details: https://www.ssllabs.com/

        reply to this | link to this | view in chronology ]

    • identicon
      Michael, 16 Jun 2015 @ 4:47pm

      Re:

      I'm not sure why you are worried about SSL being insecure. You should be using TLS.

      reply to this | link to this | view in chronology ]

    • identicon
      Lawrence D’Oliveiro, 16 Jun 2015 @ 6:31pm

      Re: SSL ... can be cracked

      That’s why we use TLS nowadays. All versions of SSL as such are obsolete.

      reply to this | link to this | view in chronology ]

    • icon
      Eric Mill (profile), 17 Jun 2015 @ 8:44am

      Re:

      HTTPS doesn't encrypt the domain name of the HTTP request, so you can implement domain-name-based filters on encrypted traffic. My workplace does this (as do many) to block access to sites they don't want employees visiting at work, even when those sites use HTTPS.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Jun 2015 @ 6:08pm

      Re:

      Any encryption can be cracked. A matter of time and computing power.

      reply to this | link to this | view in chronology ]

    • identicon
      William, 7 Jan 2016 @ 3:18pm

      Re: Taco Bell

      Were you redirected from a https:// URL to a block page, or did you accidentally enter a http:// URL that got sniffed and redirected?
      Or did you just get a browser error?
      Either way, did your browser warn you of a certificate failure?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jun 2015 @ 12:48pm

    "do what I say or else, while I do the exact opposite" has been the standard for the US governmental agencies for decades now.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 18 Jun 2015 @ 6:41am

      Re:

      That's not exactly what's going on. The fed's stance has never been that nobody should be able to use encryption. Their stance is that they should get the keys to all the encryption. In this case, they have the keys (since it's their website).

      There is no hypocrisy there. Their position remains consistent.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jun 2015 @ 10:26pm

    Is the FBI using some sort of backdoor/frontdoor HTTPS protocol for their website? Or do they just push that crap on other people?

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 18 Jun 2015 @ 6:39am

      Re:

      They don't need a backdoor to HTTPS for this. The crypto channel encrypts the data between your browser and the website you're accessing. The website gets the decrypted data. This is the FBI's website, so they get to see all the traffic to/from it without subverting encryption.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Jun 2015 @ 6:28am

    Since only child molesters benefit from encryption, does this mean they have to let a pedophile out of prison every time someone visits fbi.gov?

    reply to this | link to this | view in chronology ]

  • identicon
    Joshua Ginsberg, 17 Jun 2015 @ 9:37am

    CloudFlare is a CDN

    CloudFlare is a CDN, and the cert as well as www.fbi.gov are hosted at CloudFlare. That means public traffic goes through a 3rd party CDN.

    That doesn't mean necessarily that the connection between CloudFlare and the origin is encrypted or not. And it also opens up a whole can of worms of potential pitfalls with caching HTTP headers - potentially leaking not-public information to storage in a public cache.

    reply to this | link to this | view in chronology ]

  • identicon
    William, 7 Jan 2016 @ 3:13pm

    FBI's site uses FBI compliant encryption

    The encryption of fbi dot gov is fully FBI compliant, as it has a backdoor in it called CloudFlare's servers.
    Don't try to report any crimes committed by CloudFlare on tips dot fbi dot gov since it is also infected with CF.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.