Senator Schumer Fails To Properly Use HTTPS On His Own Site, After Pushing Other Sites To Use It [Updated]

from the ooooops dept

Tue, Mar 1st 2011 1:40pm — Mike Masnick

This is just lovely. We just wrote about how Senator Chuck Schumer was pressuring websites to use https instead of http, saying (not really accurately) that http has a "security flaw." However, gojomo pointed out in a comment on that post that Schumer's own page, when you hit it via https at https://schumer.senate.gov/ reports: "schumer.senate.gov uses an invalid security certificate."
Ooops. Both Firefox and Chrome warn you not to proceed, because the connection is "untrusted" or "might not be the site you are looking for." Obviously, this is probably just a small technical error by Schumer's tech staff, but it does look pretty bad when he's out there grandstanding on https. Of course, this isn't to diminish that https is a useful tool that many websites should use to protect users, but it's not clear that we want politicians telling websites what protocols to use (especially when they haven't quite figured them out themselves).

Update: Some great points in the comments highlighting that Schumer and his staff don't control the tech behind his Senate website, and any such cert would have to be controlled by the Senate IT folks. Also they pointed out that Schumer's Senate site does not appear to take user info/logins so HTTPS wouldn't much matter. However, his personal/campaign site does appear to take info and also does not use HTTPS.

Separately, others pointed out that one of the sites he called out -- Amazon -- does use HTTPS when you login and/or order, and his calling them out suggests they're unsafe when it appears they are safe.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: chuck schumer, https

29 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

:Lobo Santo (profile), 1 Mar 2011 @ 1:46pm

On the other hand
Perhaps he's attempting to demonstrate how difficult https is to implement, and will next be grandstanding about a better, faster, more secure, easier to implement method of connecting to web pages.
[ link to this | view in chronology ]
- lux (profile), 1 Mar 2011 @ 2:35pm
  
  Re: On the other hand
  "Perhaps he's attempting to demonstrate how difficult https is to implement"
  
  Er, you're joking? Either get a signed cert from a CA or create your own - either way, certs aren't too difficult to maintain/implement.
  [ link to this | view in chronology ]
  - Miff (profile), 1 Mar 2011 @ 7:06pm
    
    Re: Re: On the other hand
    Creating your own is a terrbile idea, because then you end up with a big "CERTIFICATE ERROR". :x
    [ link to this | view in chronology ]
Anonymous Coward, 1 Mar 2011 @ 1:47pm

You don't have permission to access / on this server.

There isn't anything on the secure server. It's a dead address. His site isn't "secure" in that manner, so it isn't surprising it doesn't work.

That and the fact that the certificate would be controlled by senate.gov, and not the senator or his staff.
[ link to this | view in chronology ]
- Mike Masnick (profile), 1 Mar 2011 @ 2:38pm
  
  Re:
  That and the fact that the certificate would be controlled by senate.gov, and not the senator or his staff.
  
  That's a good point -- though, again seems to highlight the problem of him telling private companies that they have to do this, right?
  [ link to this | view in chronology ]
  - Anonymous Coward, 1 Mar 2011 @ 2:50pm
    
    Re: Re:
    HTTPS is not security anyway. It's a false sense of security. Ask the OpenBSD people, they'll lecture you about it. There's still ways "around" it, and/or if you hack your way into the machine to replace it, etc...
    
    It's like putting an electronic lock on your car.. it might help if you lose the key, but down the line, someone can still steal your car with fairly low-tech tools.
    [ link to this | view in chronology ]
  - Anonymous Coward, 1 Mar 2011 @ 7:41pm
    
    Re: Re:
    Not really. senate.gov 's certificate gets pulled when you pull any third level (there is that pesky reason why third levels are not the same). So you can https any of the individual sites, and get the same reaction. It's as much a browser fault as anything else. I don't think that Mr Schumer had any https site specifically setup.
    [ link to this | view in chronology ]
Jon B., 1 Mar 2011 @ 2:03pm

Right, I'm pretty sure his staff doesn't control senate.gov, and as such wouldn't be able (unilaterally anyway) set up a cert for schumer.senate.gov. And it's not link someone linked to https://schumer.senate.gov - some guy just went and tried to access it in response to the article from earlier this morning. It's no surprise at all the server isn't configured to serve individual officials' subdomains as HTTPS. They *could* get a *.senate.gov cert, but there's good reasons not to do that, too.

I'm not a fan of the guy but I don't know why we're giving him grief over something he can't control. It's apparently based on him 'recommending' something and therefore might speculatively push for legislation in some regard. I dunno. Maybe I missed something.
[ link to this | view in chronology ]
- weneedhelp (profile), 1 Mar 2011 @ 2:11pm
  
  Re: Maybe I missed something
  "him 'recommending' something and therefore might speculatively push"
  
  That's the problem, so many politicians recommend stuff without actually understanding how it works.
  [ link to this | view in chronology ]
Anonymous Coward, 1 Mar 2011 @ 2:05pm

Lame Story...nothing to see here
[ link to this | view in chronology ]
Drew (profile), 1 Mar 2011 @ 2:08pm

So what?
Why the hell are you railing against someone making a REALLY good point? Sure his implementation was poor, but what's the point in ripping him for "grandstanding" and then claiming that politicians should be "telling websites what protocol to use?"

I mean, he's right. Stop trying to gin up controversy.
[ link to this | view in chronology ]
- Stuart, 1 Mar 2011 @ 3:00pm
  
  Re: So what?
  A really good point is one thing. A government telling everyone how to do shit with new laws is something else altogether.
  [ link to this | view in chronology ]
  - Drew (profile), 1 Mar 2011 @ 3:23pm
    
    Re: Re: So what?
    There doesn't appear to be any such law proposed. For the time being, it sounds like this is just a politician supporting a good idea.
    [ link to this | view in chronology ]
blah, 1 Mar 2011 @ 2:18pm

https is broken
Rather than promoting https as the way to solve security problems (really, I would promote it as a way to help solve privacy issues, tbh) - perhaps we should actually fix it first.

https and SSL are a great way for a small number of Certificate Authority companies to make a boatload of cash for doing very little. I wouldn't be surprised if Verisign approached this guy and lobbied for this.
[ link to this | view in chronology ]
Jeff Kim, 1 Mar 2011 @ 2:20pm

CDNetworks provides last mile HTTPS feature
CDNetworks protects its customers from the Firesheep security threat with a �last-mile-secure� feature within its Content Acceleration SSL product. This innovative solution requires no changes to the websites of CDNetworks� customers. Instead, CDNetworks communicates with websites in clear HTTP, and then transforms their responses to end users via SSL over HTTPS. This renders the Firesheep plug-in completely ineffective. http://www.businesswire.com/news/home/20101104005744/en/CDNetworks-Protects-Firesheep-Last-Mile- Secure-Feature
[ link to this | view in chronology ]
Dean Landolt, 1 Mar 2011 @ 2:22pm

Mike, I love you man, but you're really out of your element here. It's already been pointed out how Schumer's staff wouldn't control the cert, and that it's a dead endpoint anyway, and that (surprisingly!) the senator is actually *correct*...

But more importantly: if you understood the attack vector in question you'd understand that it is only really relevant for hijacking user sessions in progress. If you'd looked at the port 80 version of the site you may notice the lack of a login feature anywhere, thus your complaint is completely baseless. In this case you're the one doing the grandstanding.
[ link to this | view in chronology ]
Anonymous Coward, 1 Mar 2011 @ 2:45pm

Firefox can't find the server at schumer.senate.gov.

$ host schumer.senate.gov
;; connection timed out; no servers could be reached

Fail.
[ link to this | view in chronology ]
- Anonymous Coward, 1 Mar 2011 @ 2:46pm
  
  Re:
  $ dig @sen-dmzp.senate.gov schumer.senate.gov
  dig: couldn't get address for 'sen-dmzp.senate.gov': not found
  
  Fail...er.
  [ link to this | view in chronology ]
iamtheky (profile), 1 Mar 2011 @ 2:49pm

"(especially when they haven't quite figured them out themselves)"

is a fitting way to end a post that is also not to keen on the way the internet works. But its just small technical errors on your staffs part, but it does look pretty bad when you are out there grandstanding about grandstanding.
[ link to this | view in chronology ]
Steven (profile), 1 Mar 2011 @ 2:49pm

This is why I love Techdirt
This is one of the reasons I love this site. In no time at all the commenters have basically nailed Mike on several different points and added much more information to the story. The folks here don't seem to have much of a 'follow whatever Mike says' tendency.

While I don't think this is really a story I do think this is an anecdotal situation of a much larger problem. Politicians just deciding to get involved in situations the government has no reason to be in.
[ link to this | view in chronology ]
JH, 1 Mar 2011 @ 2:56pm

Since there aren't any forms on Schumer's site that prompt users for personal info AFAICT, HTTPS doesn't really seem necessary to me.

What does bother me about this is it seems like defamation for Schumer to call out Amazon specifically when Amazon already uses HTTPS for sign-in and checkout. People who don't know the details of SSL are going to hear this and think they aren't safe shopping on/signing into Amazon at all. This could boil down to a loss of business for Amazon if people take this as "Amazon is insecure". I'm not sure what else Schumer wants from Amazon. Does he want browsing of the site to be done through HTTPS as well? If so then Mike is correct, Schumer's site should be protected by HTTPS too. If he's really concerned about HTTPS he could redirect http://schumer.senate.gov (which others have pointed out he most likely has no control over) to https://chuckschumer.com/ (which I'm sure he has control over)

Actually...looking at chuckschumer.com there is a place to submit your email address and zip code, and there is no secure option...
[ link to this | view in chronology ]
- Mike Masnick (profile), 1 Mar 2011 @ 3:26pm
  
  Re:
  What does bother me about this is it seems like defamation for Schumer to call out Amazon specifically when Amazon already uses HTTPS for sign-in and checkout. People who don't know the details of SSL are going to hear this and think they aren't safe shopping on/signing into Amazon at all. This could boil down to a loss of business for Amazon if people take this as "Amazon is insecure".
  
  Good point.
  
  Schumer's site should be protected by HTTPS too. If he's really concerned about HTTPS he could redirect http://schumer.senate.gov (which others have pointed out he most likely has no control over) to https://chuckschumer.com/ (which I'm sure he has control over)
  
  Also a good point.
  [ link to this | view in chronology ]
- Kingster (profile), 2 Mar 2011 @ 8:26am
  
  Re:
  Hmmm... I think that I'll beg to differ:
  http://schumer.senate.gov/new_website/contactchuck.cfm
  [ link to this | view in chronology ]
addie, 1 Mar 2011 @ 3:51pm

https is misunderstood
Https is for encrypting the connection between the browser and the remote server. Https is not for authentication, as much as the cert authorities want you to confuse the two. There is a tor person blog post about life without a CA that highlights this fact.
[ link to this | view in chronology ]
- mirradric, 1 Mar 2011 @ 9:20pm
  
  Re: https is misunderstood
  actually https IS used for authentication and this authentication is in fact a very important part of https. The catch is that the party being authenticated is the web server, rather than the client/end user, by way of it's certificate.
  This is a very important step in preventing a man in the middle attacks. After all, if you have been talking to the wrong party to begin with, no amount of encryption will help you.
  This authentication is supposed to be provided by the certificate authorities which signs the individual server certificates to create a "web of trust". Of course, there are other ways to determine that certificates (like self signed ones) are valid (like issuing your own certificate authority cert, compare fingerprints etc.). If such arrangements for verifying the certificate are in place, using the certificate is perfectly safe, even if it is self-signed or details such as domain name are wrong.
  [ link to this | view in chronology ]
Thomas (profile), 1 Mar 2011 @ 4:48pm

I'm surprised..
that a Senator would even know what "https" stands for, much less what it's used for or how it works.
[ link to this | view in chronology ]
Ray Trygstad (profile), 1 Mar 2011 @ 11:07pm

Federal Certificate Authorities
The federal government maintains an entire infrastructure of their own Certificate Authorities, none of which are recognized by the folks who make the browsers. As a retired Naval Officer, I access DOD sites all the time and find that my browser is constantly warning me about these sites. One time I attempted to download and install certificates for all of the DOD CAs but locating them all, downloading them and installing them took me about two hours and I swore I'd never do it again.
[ link to this | view in chronology ]
known coward, 2 Mar 2011 @ 12:47pm

you all are way overthinking this one.
Simple answer:

Schumer is a grandstanding idiot.
[ link to this | view in chronology ]
Dean Landolt, 3 Mar 2011 @ 1:45pm

Mike

I'm glad to see you updated the article -- but the update is *still* inaccurate. I probably should have been more clear about this in my first comment -- the problem isn't whether sites use SSL during the login or payment phases (this is been considered a best practice for years now). You've got to use SSL for the lifetime of the session, at the _very_ least for users on unencrypted wifi where MITM attacks have been made so very easy by tools like firesheep.

Since there's no way to know which users are on coffee shop wifi it is now considered a best practice to push everyone to SSL. If you don't believe me download firesheep and see what you can get away with on another user's amazon account. You may not be able to buy anything but you'll be able to do quite a bit of damage.
[ link to this | view in chronology ]