Senator Schumer Fails To Properly Use HTTPS On His Own Site, After Pushing Other Sites To Use It [Updated]
from the ooooops dept
This is just lovely. We just wrote about how Senator Chuck Schumer was pressuring websites to use https instead of http, saying (not really accurately) that http has a "security flaw." However, gojomo pointed out in a comment on that post that Schumer's own page, when you hit it via https at https://schumer.senate.gov/ reports:Ooops. Both Firefox and Chrome warn you not to proceed, because the connection is "untrusted" or "might not be the site you are looking for." Obviously, this is probably just a small technical error by Schumer's tech staff, but it does look pretty bad when he's out there grandstanding on https. Of course, this isn't to diminish that https is a useful tool that many websites should use to protect users, but it's not clear that we want politicians telling websites what protocols to use (especially when they haven't quite figured them out themselves).
Update: Some great points in the comments highlighting that Schumer and his staff don't control the tech behind his Senate website, and any such cert would have to be controlled by the Senate IT folks. Also they pointed out that Schumer's Senate site does not appear to take user info/logins so HTTPS wouldn't much matter. However, his personal/campaign site does appear to take info and also does not use HTTPS.
Separately, others pointed out that one of the sites he called out -- Amazon -- does use HTTPS when you login and/or order, and his calling them out suggests they're unsafe when it appears they are safe.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: chuck schumer, https
Reader Comments
Subscribe: RSS
View by: Time | Thread
On the other hand
[ link to this | view in thread ]
There isn't anything on the secure server. It's a dead address. His site isn't "secure" in that manner, so it isn't surprising it doesn't work.
That and the fact that the certificate would be controlled by senate.gov, and not the senator or his staff.
[ link to this | view in thread ]
I'm not a fan of the guy but I don't know why we're giving him grief over something he can't control. It's apparently based on him 'recommending' something and therefore might speculatively push for legislation in some regard. I dunno. Maybe I missed something.
[ link to this | view in thread ]
[ link to this | view in thread ]
So what?
I mean, he's right. Stop trying to gin up controversy.
[ link to this | view in thread ]
Re: Maybe I missed something
That's the problem, so many politicians recommend stuff without actually understanding how it works.
[ link to this | view in thread ]
https is broken
https and SSL are a great way for a small number of Certificate Authority companies to make a boatload of cash for doing very little. I wouldn't be surprised if Verisign approached this guy and lobbied for this.
[ link to this | view in thread ]
CDNetworks provides last mile HTTPS feature
[ link to this | view in thread ]
But more importantly: if you understood the attack vector in question you'd understand that it is only really relevant for hijacking user sessions in progress. If you'd looked at the port 80 version of the site you may notice the lack of a login feature anywhere, thus your complaint is completely baseless. In this case you're the one doing the grandstanding.
[ link to this | view in thread ]
Re: On the other hand
Er, you're joking? Either get a signed cert from a CA or create your own - either way, certs aren't too difficult to maintain/implement.
[ link to this | view in thread ]
Re:
That's a good point -- though, again seems to highlight the problem of him telling private companies that they have to do this, right?
[ link to this | view in thread ]
$ host schumer.senate.gov
;; connection timed out; no servers could be reached
Fail.
[ link to this | view in thread ]
Re:
dig: couldn't get address for 'sen-dmzp.senate.gov': not found
Fail...er.
[ link to this | view in thread ]
is a fitting way to end a post that is also not to keen on the way the internet works. But its just small technical errors on your staffs part, but it does look pretty bad when you are out there grandstanding about grandstanding.
[ link to this | view in thread ]
This is why I love Techdirt
While I don't think this is really a story I do think this is an anecdotal situation of a much larger problem. Politicians just deciding to get involved in situations the government has no reason to be in.
[ link to this | view in thread ]
Re: Re:
It's like putting an electronic lock on your car.. it might help if you lose the key, but down the line, someone can still steal your car with fairly low-tech tools.
[ link to this | view in thread ]
What does bother me about this is it seems like defamation for Schumer to call out Amazon specifically when Amazon already uses HTTPS for sign-in and checkout. People who don't know the details of SSL are going to hear this and think they aren't safe shopping on/signing into Amazon at all. This could boil down to a loss of business for Amazon if people take this as "Amazon is insecure". I'm not sure what else Schumer wants from Amazon. Does he want browsing of the site to be done through HTTPS as well? If so then Mike is correct, Schumer's site should be protected by HTTPS too. If he's really concerned about HTTPS he could redirect http://schumer.senate.gov (which others have pointed out he most likely has no control over) to https://chuckschumer.com/ (which I'm sure he has control over)
Actually...looking at chuckschumer.com there is a place to submit your email address and zip code, and there is no secure option...
[ link to this | view in thread ]
Re: So what?
[ link to this | view in thread ]
Re: Re: So what?
[ link to this | view in thread ]
Re:
Good point.
Schumer's site should be protected by HTTPS too. If he's really concerned about HTTPS he could redirect http://schumer.senate.gov (which others have pointed out he most likely has no control over) to https://chuckschumer.com/ (which I'm sure he has control over)
Also a good point.
[ link to this | view in thread ]
https is misunderstood
[ link to this | view in thread ]
I'm surprised..
[ link to this | view in thread ]
Re: Re: On the other hand
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: https is misunderstood
This is a very important step in preventing a man in the middle attacks. After all, if you have been talking to the wrong party to begin with, no amount of encryption will help you.
This authentication is supposed to be provided by the certificate authorities which signs the individual server certificates to create a "web of trust". Of course, there are other ways to determine that certificates (like self signed ones) are valid (like issuing your own certificate authority cert, compare fingerprints etc.). If such arrangements for verifying the certificate are in place, using the certificate is perfectly safe, even if it is self-signed or details such as domain name are wrong.
[ link to this | view in thread ]
Federal Certificate Authorities
[ link to this | view in thread ]
Re:
http://schumer.senate.gov/new_website/contactchuck.cfm
[ link to this | view in thread ]
you all are way overthinking this one.
Schumer is a grandstanding idiot.
[ link to this | view in thread ]
I'm glad to see you updated the article -- but the update is *still* inaccurate. I probably should have been more clear about this in my first comment -- the problem isn't whether sites use SSL during the login or payment phases (this is been considered a best practice for years now). You've got to use SSL for the lifetime of the session, at the _very_ least for users on unencrypted wifi where MITM attacks have been made so very easy by tools like firesheep.
Since there's no way to know which users are on coffee shop wifi it is now considered a best practice to push everyone to SSL. If you don't believe me download firesheep and see what you can get away with on another user's amazon account. You may not be able to buy anything but you'll be able to do quite a bit of damage.
[ link to this | view in thread ]