FBI, While Hating On Encryption, Starts Encrypting All Visits To Its Website
from the funny-how-that-works dept
Last week, the Wikimedia Foundation announced that it was moving to encrypting access to all Wikipedia sites via HTTPS. This was really big news, and a long time coming. Wikipedia had been trying to move in this direction for years with fairly slow progress -- in part because some in the Wikimedia community had an irrational dislike of HTTPS. Thankfully, the Wikimedia Foundation pushed forward anyway, recognizing that the privacy of what you're browsing can be quite important.And yet, I don't think that was the most significant website shift to HTTPS-by-default in the last week. Instead, that honor has to go to... [drumroll please]... FBI.gov. No, seriously. This may surprise you. After all, this is the very same FBI that just a couple of weeks ago had its assistant director Michael Steinbach tell Congress that companies needed to "prevent encryption above all else." Really. And it's the same FBI whose director has been deliberately scaremongering about the evils of encryption. The same director who insisted the world's foremost cybersecurity experts didn't understand when they told him that his plan to backdoor encryption was bonkers. The very same FBI who used to recommend mobile encryption to keep your data safe, but quietly deleted that page (the FBI claims it was moved to another site, but...).
But that very same FBI that has spent the past few months disparaging encryption at every opportunity apparently went over to Cloudflare and had the company help it get HTTPS set up. No joke.
Remember how, just last week, the US CIO announced that all federal governments would be moving to HTTPS. Well, thankfully, the CIO's office is also tracking how well it's doing. Just yesterday, here's what it said about FBI.gov:
Either way, kudos to the FBI for letting us encrypt our connections. Now, please don't get in the way of us encrypting our data as well.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, fbi, fbi.gov, https
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: I'm still on the fence about underwear
[ link to this | view in chronology ]
FBI isn't against encryption
[ link to this | view in chronology ]
Re: FBI isn't against encryption
[ link to this | view in chronology ]
Re: Re: FBI isn't against encryption
[ link to this | view in chronology ]
Re: Re: FBI isn't against encryption
The FBI website now uses encryption.
Therefore, the FBI did not approve the modifications to its website.
Conclusion? The FBI website has been hacked. Proceed with caution.
[ link to this | view in chronology ]
Re: FBI isn't against encryption
[ link to this | view in chronology ]
Re: Re: FBI isn't against encryption
[ link to this | view in chronology ]
Re: FBI isn't against encryption
What part of "So that’s the challenge: working with those companies to build technological solutions to prevent encryption above all else" don't you understand?
[ link to this | view in chronology ]
Before possibly going on one road trip next week, I have been configuring an OpenVPN server on the machine that runs my online radio station, so I can get past Metro/TMobile's blocking of LT2P and PPTP VPNs.
I was testing this in Taco Bell, which has some of the tightest filtering around. I found I could connect to my server, but it I tried to access a site they were filtering, it would still be blocked. Somehow, Taco Bell has found a way to crack SSL.
If Taco Bell can crack SSL, anybody can. So even SSL/HTTPS visits to the FBI website, or any other website, can be cracked and sniffed.
[ link to this | view in chronology ]
Re: Taco Layer Security (TLS)
Cracking SSL/TLS is more trouble than interfering with a plaintext HTTP connection. Using HTTPS can stop some classes of attacks, and makes others more trouble to implement. It is not a perfect solution, but it is better than doing nothing, and it is relatively easy to implement.
[ link to this | view in chronology ]
Re: Re: Taco Layer Security (TLS)
[ link to this | view in chronology ]
Re:
Is there some crowdsourced place to find out information about public wi-fi? That would be interesting.
[ link to this | view in chronology ]
Re:
Or, more simply, your DNS requests went over the local link instead of over the VPN (or they went over both but the local link answered first), and they are doing a DNS-based block. When you see hoofprints, think horses, not zebras.
[ link to this | view in chronology ]
Re: Re:
I noticed the other day that a mis-typed domain name popped up my ISP's obnoxious "Couldn't find that site, so here are some ads instead" page whereas my traffic should have been flowing entirely through my VPN. A quick trip to my VPN software settings fixed the issue.
[ link to this | view in chronology ]
Re: Re: Re: Countering (some) consequences of ISP DNS hijacking
[ link to this | view in chronology ]
Re:
The other thing that could be happening here is you could still be using Taco Bell's DNS resolver. If you just set all your devices to use 8.8.8.8 for DNS, Google will be able to track you, but most domain blocking will vanish -- especially over TLS.
So make sure your OpenVPN configuration is set up to NOT fall back to SSL, and is set up to use a trusted DNS (or 8.8.8.8) and not the DNS provided via DHCP by an ISP.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: SSL ... can be cracked
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Taco Bell
Or did you just get a browser error?
Either way, did your browser warn you of a certificate failure?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
There is no hypocrisy there. Their position remains consistent.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
CloudFlare is a CDN
That doesn't mean necessarily that the connection between CloudFlare and the origin is encrypted or not. And it also opens up a whole can of worms of potential pitfalls with caching HTTP headers - potentially leaking not-public information to storage in a public cache.
[ link to this | view in chronology ]
FBI's site uses FBI compliant encryption
Don't try to report any crimes committed by CloudFlare on tips dot fbi dot gov since it is also infected with CF.
[ link to this | view in chronology ]