How Serious Is James Clapper About Cybersecurity When His Office Can't Even Get Its SSL Certificate Right?

from the just-asking dept

Thu, Jul 24th 2014 7:43am — Mike Masnick

James Clapper and the Office of the Director of National Intelligence (ODNI) have been among the loudest FUD-spewers concerning the "threats" to cybersecurity out there, and the need for massively dangerous "cybersecurity" legislation that would really just open up the ability for the Intelligence Community to get more access to private data. However, security researcher and ACLU guy Chris Soghoian noticed yesterday that the SSL security certificate on the ODNI website isn't even valid:

The Director of National Intelligence (@ODNIgov) can't be bothered install a valid HTTPS cert on their website #cyber pic.twitter.com/iiPIkFEfhD
— Christopher Soghoian (@csoghoian) July 23, 2014

In response, Soghoian joked: "[ODNI], I'll make you a deal: You fix your website's broken encryption cert, and I'll start to take your cyber fearmongering seriously."

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, fud, james clapper, odni, ssl

52 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Ninja (profile), 24 Jul 2014 @ 6:42am

He doesn't care about cybersecurity. That's not their real agenda.
[ link to this | view in thread ]
Rabbit80 (profile), 24 Jul 2014 @ 6:55am

Erm..
You realise there is still a problem with the SSL here on Techdirt right?? According to Chrome there are still elements that are not secure! Opera throws an error about akamai technologies when I try to visit TD.
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 7:56am

Re: Erm..
Techdirt isn't a "cybersecurity" website. And its SSL certificate is valid.
[ link to this | view in thread ]
Chronno S. Trigger (profile), 24 Jul 2014 @ 8:00am

Re: Erm..
Where do you see that? My Chrome doesn't say anything about elements being insecure. This is a legitimate question not sarcasm. I want to know where my local security might be lacking.
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 8:02am

Just use addons everyone should be using and you'll be fine.
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 8:05am

I get a certificate popup every time I visit TechDirt on my Android phone.
[ link to this | view in thread ]
beech, 24 Jul 2014 @ 8:15am

Response to: Anonymous Coward on Jul 24th, 2014 @ 8:05am
I get a security warning occasionally on my android...I think it happens when there's a .pdf on a page
[ link to this | view in thread ]
BigKeithO, 24 Jul 2014 @ 8:16am

Re: Re: Erm..
"Your connection to www.techdirt.com is secured with 128-bit encryption. However, this page includes other resources that are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page."

and

"This page includes a script from unauthenticated sources."

I'd post a pic but I don't think that is possible on Techdirt. This warning has been on the site since it went SSL.
[ link to this | view in thread ]
beech, 24 Jul 2014 @ 8:17am

Buy guys, if he properly encrypted his site it would make it harder for the nsa to protect him from terrorists!
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 8:19am

ODNI is what you would refer to as an 'anti role model'
Do the opposite of what it recommends
[ link to this | view in thread ]
Chronno S. Trigger (profile), 24 Jul 2014 @ 8:24am

Re: Re: Re: Erm..
I didn't ask what warning, I asked where. I'm not seeing this anywhere in Chrome or Firefox. Where do I see this message?

And keep in mind that if you use a proxy, it can screw with SSL connections.
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 8:28am

Re: Re: Re: Erm..
That warning means the ads and/or other third party resources are not being loaded with SSL. If the ad sources have an SSL, then Techdirt can and should connect to them with https. If such connections are not available, though, I don't think there's anything Techdirt can do.
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 8:29am

Worse when i go look
Well, when I go look at the base URL I get something worse - lol:

http://tinypic.com/r/15ft9qx/8

Which says they (may be) trying to steal my information
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 8:40am

To be fair, TD did have a "not all content is secured" for a while.....
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 8:43am

Re:
It still does.
https://www.techdirt.com/articles/20140717/03325427904/top-eu-politicians-call-taftattips-corpo rate-sovereignty-provisions-to-be-removed.shtml
[ link to this | view in thread ]
Rabbit80 (profile), 24 Jul 2014 @ 8:56am

Re: Re: Re: Re: Erm..
On mine, the padlock symbol on the address bar has a warning symbol. Opera plain refuses to open the page unless I OK the warning.
[ link to this | view in thread ]
Rabbit80 (profile), 24 Jul 2014 @ 8:57am

Re: Re: Erm..
I never said the cert was invalid. I said "there is still a problem with SSL here on Techdirt"
[ link to this | view in thread ]
hij (profile), 24 Jul 2014 @ 9:02am

This just proves he is right
Do you people not see the real problem? The real problem is that they have to go to all that trouble to secure their own site which only proves that the world is too dangerous, and we need some serious mollycoddlying so that they can keep us safe. That is assuming that they can be bothered to go to that much trouble to do their job. Which, they apparently cannot do. Then again, maybe they use this to find the bad guys: http://www.cyclismo.org/cgi-bin/spirit.cgi
[ link to this | view in thread ]
Rocco Maglio (profile), 24 Jul 2014 @ 10:09am

It is not configured for https
When I go to https://www.dni.gov/ and I accept the bad cert it does not take me to the site. It takes you to a page that says the site is down. They are using akamai as a CDN and have not configured it for https access.
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 10:14am

Is this the guy that charges $1 million for his "cybersecurity expertise"?
[ link to this | view in thread ]
allengarvin (profile), 24 Jul 2014 @ 10:27am

Eh, I've set up a lot of Akamaized sites in the past 15 years. That's not a real problem: it's someone who went to an akamaized http site through https. You have to pay extra money to get their SSL versions, and then you have to CNAME your domain to another set of servers, their special SSL servers.

If you put https in front of any site CNAME'd to Akamai that isn't paying for the extra SSL, you'll get basically the same error, because it sends you through their old edge network--it supports SSL, but it's for serving individual assets like images or swfs.

It's probably historically related to the way they rolled out different offerings. Basically, for this site, they didn't want to spend a few thousand extra a month for SSL offerings.
[ link to this | view in thread ]
jackn, 24 Jul 2014 @ 10:32am

Re: Re: Re: Re: Erm..
They could not place ssl with non-ssl. thats basic stuff.
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 10:33am

Re: Re: Re: Re: Erm..
oh, i am sure he sorry. The message appears on the screen, have you checked your screen?
[ link to this | view in thread ]
jackn, 24 Jul 2014 @ 10:34am

Re:
thanks for the security pro-tip!
[ link to this | view in thread ]
Cpt Feathersword, 24 Jul 2014 @ 10:36am

A man-in-the-middle attack? Against ODNI? By NSA?
One of NSA's clever tricks is to redirect traffic to go through a snoop node before it gets to the server. The snoop node pretends to be the real server and presents a forged SSL certificate so that it can decrypt both sides of the conversation. Browsers may detect the fake certificate and give a warning, but most users pay no attention and just click on through.
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 10:53am

Re: Re: Re: Re: Erm..
I'm seeing it as a yellow, traffic-sign-esque triangle in Chrome on the padlock next to the 'https://etc.' The main elements of TD are (I hope) still secure, but the ads and/or 3rd-party elements are unprotected, hence the yellow rather than the more in-your-face red.
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 10:53am

he's not really into cybersecurity this is about collection , threat management /assessment, and good ole blackmail.
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 10:57am

Re: Re: Re: Re: Re: Erm..
also no proxy, just HTTPS Everywhere and blocking 3rd-party cookies, but it remains present when I disable those.
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 11:22am

Re: Re: Re: Re: Re: Erm..
Assuming that the content you need is available with an SSL connection, sure. But when your site makes third-party requests, you cannot guarantee all your content is available with SSL. That's up to the third party.
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 11:29am

Re: Re: Re: Re: Erm..
The message doesn't actually display in Chrome or Firefox unless you click the secure connection icon. In Chrome, it should have a yellow triangle to indicate only partial security. And in Firefox, instead of a padlock, it will be a gray triangle-with-an-exclamation point.

It is the ads that are on plain http connections and causing this issue, though. So if you are viewing the site with an ad-blocker, it should actually come up totally secure.
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 11:31am

Re: Re: Re: Re: Re: Erm..
Funny, Opera for me just plain shows it as an "insecure" site as if it didn't use SSL at all.
[ link to this | view in thread ]
jackn, 24 Jul 2014 @ 12:49pm

Re: Re: Re: Re: Re: Re: Erm..
its up to the site owner to ensure their site is operating up to the satisfaction of its users.

If you cannot guarentee all the content on the page (however delivered) isn't going to be secure, you can remove the third party content or accept that you users are going to get warnings and either avoid your site, complain, or not care.

Imagine you are at amazon trying to check out with a credit card and you got this warning. How would you feel if amazon said, that is the responsiblity of the third parties?
[ link to this | view in thread ]
Anonymous Coward, 24 Jul 2014 @ 2:05pm

Re: Re: Re: Re: Re: Re: Re: Erm..
Well, I'm not entering any sensitive info here. Just entering a comment that will be public anyway. Only thing sensitive here is the login info for folks with registered accounts.

And I can check where the form is submitting my data and make sure that that is secure at least.

But I think a more likely point is also a site with a forum with user generated content. Especially one allowing inline images. The forum should use SSL to protect user authentication information. But the users certainly aren't going to be only using https links in their image tags. So such a forum is guaranteed mixed-content warnings.

Of course that doesn't apply to Techdirt. No inline images here. The only problem is the advertisers. In this case, the advertisements are part of the Techdirt business model. They cannot be removed without also eliminating what I have been led to believe is an important revenue stream. So the ads have to stay.

Now, there are far more factors than just SSL in choosing who one uses as an advertiser. If the advertiser with the otherwise best deal doesn't offer SSL, then that puts you in a tight spot, doesn't it?

In any case, the info actually going to Techdirt still remains secure. So there are only two impacts here:

1. Someone with access to your line can see which advertisements you get. And that's gonna happen any time you visit a page using the same advertisement system. So nothing to really worry about, unless the advertiser is storing sensitive information in its tracking cookies.

2. Users who don't know what mixed content warnings indicate might get spooked by the "Caution" indicator in their browser.

Quite frankly, I find the second issue to be of greatest concern, and only for the folks running this site.
[ link to this | view in thread ]
Rabbit80 (profile), 24 Jul 2014 @ 3:38pm

Re: Re: Re: Re: Re: Re: Re: Re: Erm..
The problem as I see it with mixed content warnings is that as the average user can not tell which parts are secure and which are not, if they start seeing this warning on trusted sites they will learn to ignore the warning on any site. This ultimately leads to a less secure internet.
[ link to this | view in thread ]
Whatever (profile), 24 Jul 2014 @ 7:30pm

Re:
Don't confuse the discussion with things like facts and reality. People are just looking for the fast slam, the caught you moment more than anything real.

It may be that they are in the middle of a transition from direct hosting to using edge providers to give better service and to mitigate attacks on their servers. It's pretty normal. The SSL certificates will be all screwed up for a while, it's not a simple job to do when you are handling a network with so many possible exit URLs.

But hey, it's fun to slam them for trying to make things better, right?
[ link to this | view in thread ]
allengarvin (profile), 24 Jul 2014 @ 8:12pm

Re: Re:
Akamai is a good way to mitigate attacks, but it's an expensive one. I've just seen this particular error before, because my last company had a pretty deal with Akamai--we got around 7 cents a gig transferred. Not necessarily good compared to other CDNs but pretty good for Akamai. We would see this error because we'd get customers on Akamai, and then they'd do a security scan, it would come back highlighting that the SSL cert didn't match, and asked to fix it. Then, we'd say, ok, just pay for an Akamaized SSL site, which will cost you 5 times as much, plus you have to use Akamai as your SSL vendor, which makes netsol look cheap, and then they'd come back and say "no thanks".

I found some other sites that will give you the same error:
https://www.pepsi.com
https://www.mountaindew.com

You can tell which sites are on the Akamai SSL network by seeing what they're CNAME'd to. If it's edgesuite.net, it'll give a cert error. If it's edgekey.net, it's good:

[agarvin@atg-home logs]$ dig +short www.pepsi.com
www.pepsi.com.edgesuite.net.
[agarvin@atg-home logs]$ dig +short www.aa.com
aa.com.edgekey.net.
Note this domain:
[agarvin@atg-home logs]$ dig +short www.dni.gov
www.dni.gov.edgesuite.net.

Look at the cert with openssl s_client and you'll see the CN is for a248.e.akamai.net.
[ link to this | view in thread ]
Androgynous Cowherd, 24 Jul 2014 @ 10:33pm

Java is affected too
download.oracle.com gives the same security error. And it names the exact same domain as the one masquerading as download.oracle.com as apparently is masquerading as www.dni.gov: a248.e.akamai.net.

Widespread MITM attack on security-sensitive sites? DNI, downloads for the (often buggy) Java plugin ...
[ link to this | view in thread ]
PaulT (profile), 25 Jul 2014 @ 12:54am

Re: Re: Re: Re: Erm..
The warning varies. As I understand it, some of the content brought in from external sources (e.g. ads) don't always comply with the SSL so you might see the Chrome padlock change occasionally from green to yellow. Other browsers will deal with this in different ways, but it will be intermittent depending on what content is served to you, whether you have ad blockers, etc.
[ link to this | view in thread ]
PaulT (profile), 25 Jul 2014 @ 12:55am

Re: Re: Re: Re: Re: Re: Re: Erm..
"Imagine you are at amazon trying to check out with a credit card and you got this warning."

You surely understand the massive grand canyon-sized difference between that example and people viewing an opinion blog, right?
[ link to this | view in thread ]
PaulT (profile), 25 Jul 2014 @ 12:59am

Re: Re:
"Don't confuse the discussion with things like facts and reality."

We don't mind that, what are the facts?

"It may be..."

Oh, you have none, you just wanted to inject a random theory that might allow you to white knight someone criticised in the article? Never mind.
[ link to this | view in thread ]
PaulT (profile), 25 Jul 2014 @ 1:01am

Re:
That's a fair comment, but it's still a poor showing for the official site for a national security agency to be showing as potentially insecure, whatever the reason.
[ link to this | view in thread ]
Anonymous Coward, 25 Jul 2014 @ 5:36am

SOP for the GOV
A LOT of GOVernment sites have invalid certs. This seems to be SOP.
[ link to this | view in thread ]
Anonymous Coward, 25 Jul 2014 @ 5:42am

Re: Re: Re: Re: Re: Re: Re: Re: Re: Erm..
Indeed. With that in mind, the Opera approach may be best. Just display it as if there was no SSL at all. It wouldn't look any different from the majority of unsecured sites out there. And sites that absolutely require the security will continue to avoid mixed content to make sure the padlock does show up.
[ link to this | view in thread ]
Anonymous Coward, 25 Jul 2014 @ 6:16am

Im sorry the whole thing here is based around trusting the CERT authorities , maybe the Government does trust them. Moxie says they cant be trusted, certs are copied and passed around if that is the case then a self signed cert like this is more secure
[ link to this | view in thread ]
Anonymous Coward, 25 Jul 2014 @ 6:36am

Moxie Marlinspike google read and watch video's and in a few minutes you we see SSL is broken and useless

https://www.youtube.com/watch?v=pDmj_xe7EIQ
[ link to this | view in thread ]
Whatever (profile), 25 Jul 2014 @ 7:54am

Re: Re: Re:
Oh, you have none

Trying to pick a fight? You lose every time.

Fact: They are using akamai.
Fact: In a transition time, their existing certificate would not be accurate.
Fact: Their site is still secure, and in fact is likely more secure as a result of a move to use Akamai.

Your facts? name calling. Yup, you lost again.
[ link to this | view in thread ]
John Fenderson (profile), 25 Jul 2014 @ 8:17am

Re: Re: Re: Re:
"is likely more secure as a result of a move to use Akamai."

How so?
[ link to this | view in thread ]
Whatever (profile), 25 Jul 2014 @ 8:22pm

Re: Re: Re: Re: Re:
There is a lot of potential reasons why caching / edge services tend to help security. The biggest in general is that it's much harder for people to DDoS the site, unless they know it's original IP and attack it directly that way. Otherwise, their web traffic is generally sent to the cache, which acts as a sink (a really big one).

Not sure about Akamai itself, but similar services will also sink or stop attempts to connect ssh, ftp, mail, and the like, removing the burden entirely from your servers - at least for people who try to connect by name rather than IP.

http://www.akamai.com/html/solutions/security-services.html

Basically, the fewer people who interact directly with your server, the less chance of problems.
[ link to this | view in thread ]
John Fenderson (profile), 26 Jul 2014 @ 4:49pm

Re: Re: Re: Re: Re: Re:
DDOS doesn't count as a security problem in the sense being discussed here. Such attacks don't result in a security breach or the exposure of secure data.

As to stopping connections to ssh, etc., that's beyond trivial to do in the first place by just not running those servers. It takes more technical expertise to set up the servers than to not set them up, so the technically clueless are already safe on those fronts by default.

On your last point, that's true but the increased security you get that way is pretty minimal.

On the flip side, if you're relying on an edge provider to enhance your security, you're making a security trade-off. Those providers are well known, desirable attack vectors and draw the attention of far more, and far more skilled, crackers than your servers are likely to draw. And once they're hacked, all servers using them become vulnerable.

Edge providers are very useful for traffic management, but thinking that using them gives a security benefit beyond what you can easily do for yourself is dubious at best.
[ link to this | view in thread ]
Anonymous Coward, 27 Jul 2014 @ 10:51pm

Read
My Chrome doesn't say anything about elements being insecure. [...] I want to know where my local security might be lacking.

Hm, let's see... You're using a web browser developed by a for-profit, US-based multinational advertising/surveillance conglomerate/NSA "corporate partner" (i.e., collaborator) and PRISM-participant; your "local security" is mainly lacking in the existence area.

Read about NSA whistle-blower Ed Snowden's leaks, and read Bruce Schneier's blog if you're fool enough to trust Go-Ogle (or any other major US-based tech firms).
[ link to this | view in thread ]
John Fenderson (profile), 28 Jul 2014 @ 8:32am

Re: Re: Erm..
It's the Akamai certificate that doesn't pass scrutiny. The error is that the name of the techdirt site on the cert does not match the name of the name of the techdirt site itself. I'm guessing this is related to the switch to https, but I haven't investigated enough to know for certain.

Chrome's cert checking has a number of holes. Just because it doesn't flag a cert doesn't automatically mean the cert is OK.
[ link to this | view in thread ]
allengarvin (profile), 28 Jul 2014 @ 9:09am

Re: Re: Re: Erm..
Yes, it's the switch to https. If you click past the 'don't go here' you won't even get the site. I explained elsewhere that akamai's "edgesuite" network which serves 80 is a completely different set of servers than those that serve 443 (which they used to call "edgekey" but now are branded something silly). When you go to https on edgesuite, you're connecting to their netstorage service. You get this with *every* akamai customer that's on their edgesuite network.
[ link to this | view in thread ]