Automatic HTTPS Enforcement for New Executive Branch .gov Domains (opens in new tab)

(cio.gov)

88 pointskonklone9y ago78 comments

78 comments

45 comments · 10 top-level

konkloneOP9y ago· 9 in thread

Co-author of the post here, happy to answer questions. =)

This is a GSA initiative, not an 18F initiative. But 18F has a recent post detailing executive branch progress on HTTPS that may also be relevant:

https://18f.gsa.gov/2017/01/04/tracking-the-us-governments-p...

scrollaway9y ago

The blog post is unclear. On a technical level (on the preload list), is the enforcement at the TLD level or is it just a legal requirement to submit all .gov domain names to the preload list? If the latter, any plan to move to the former?

konkloneOP9y ago

Not quite either one -- it's technical enforcement by the TLD, but still done on a per-domain basis (this doesn't affect state/local .gov domains, or legislative/judicial .gov domains). The dotgov.gov program will forcibly preload new domains, but it's not feasible to just submit ".gov" to the preload list right now.

tomschlick9y ago

Any plans to force IPv6 adoption in the same manner?

konkloneOP9y ago

IPv6 is a federal mandate for agencies: https://www.whitehouse.gov/sites/default/files/omb/assets/eg...

And NIST has a dashboard of adoption: https://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov

1 more reply

toomuchtodo9y ago

IPv6 is pretty low priority compared to comprehensive HTTPS support.

Disclaimer: Not USDS/18F, just tech professional.

2 more replies

austincheney9y ago

Does this include DOD? I suspect DOD is probably already doing this, but just wonder if they fall under the umbrella.

konkloneOP9y ago

DoD does have some .gov domains, so it would affect them in that way. But .mil is not affected.

stqism9y ago

The DoD has a massive PKI system already and makes the assumption users of its sites have the appropriate CAs installed. (Home access typically requires installing a set of them, typically bundled separately or in an installer)

walrus019y ago

DoD uses https and crypto at the transport layer in SIPR. Lots of "type 1" crypto as well, which is its own special thing with NSA issued hardware crypto keys.

t0mas889y ago· 7 in thread

As a practical question: what is the expected capacity of the preload stores of browsers? Hundreds of thousands, millions or much more domains? Because at some point it seems like everyone with moderately high security requirements may want to have their certificates pinned / preloaded.

konkloneOP9y ago

I think that's an open question. Right now, it's not the millions, that'd be too much to bundle with browsers. But browsers may well change their delivery mechanism for preload information to allow this to scale higher.

In any case, .gov won't add much to the load -- right now there are all of 5,500 .gov domains, and the rate of adding/removal is on the order of dozens every month at most.

dragonwriter9y ago

> right now there are all of 5,500 .gov domains

Is that just domains from which web content is hosted, or just second level domains regardless of whether web content is hosted? Because I can't imagine that there are only 5,500 total .gov domains.

1 more reply

tedunangst9y ago

My browser's disk footprint is already over 100MB. What's another X MB?

The ironic thing is we're reinventing the CA system, only now each browser is its own authority, exactly the problem the CA system was trying to solve.

konkloneOP9y ago

I wouldn't say this is reinventing the CA system. You don't need to trust any particular browser here. The effect is that web services must offer a secure HTTPS connection, using the existing CA system (or an enterprise CA, if their user base is truly all-enterprise), no matter what browser is being used.

1 more reply

hackuser9y ago

> My browser's disk footprint is already over 100MB. What's another X MB?

Don't forget mobile and other platforms, where resources are more constrained.

foota9y ago

Seems like you could use a bloom filter to store whether a domain has a pinned cert, and then use an api provided by the browser to remotely fetch the pinned cert. This has privacy implications, but does step around the storage. Chrome does something similar for CRL, but bloom filters fit that use case better.

nitrogen9y ago

IIRC DuckDuckGo might do something like that for search suggestions. For slightly improved privacy, lots of unrelated hosts can be grouped into blocks (maybe grouped by probability of access to make it harder to infer which domain from the block is the likely target).

cakeface9y ago· 6 in thread

What are the odds that the private keys for all of the .gov domains are also sent to the NSA? I guess if you are worried about another nation spying on your traffic you would be fine. I would expect that all of this traffic is decryptable by NSA though.

noahkunin9y ago

Gov employee here (18F).

If the operative word is "sent" and "all" the likelihood is zero, as I can assert I've never sent a private key to NSA, and I've made quite a few over the past few years.

That said, carlosdp makes a great point as to how one should behave. Even though not all private keys get shipped to NSA (can't make claims about other teams), the government is very public about other data sharing programs (see https://www.dhs.gov/sites/default/files/publications/privacy... for example).

Even though all government agencies must disclose these types of programs, they are so numerous and often so difficult to decipher, the only rational response is to assume everyone has everything or could have access in the future.

The only way to avoid this is to build zero-knowledge systems on the server side, something I hope you'll see more of in 2017.

carlosdp9y ago

I think we can pretty safely assume all information given to the government is in the hands of government agencies, one way or another.

mikeash9y ago

Would you otherwise have an expectation that your data sent to the government would be kept secret from the NSA?

xenophonf9y ago

What are you getting at? As far as I know, OMB doesn't require key escrow, so it almost certainly doesn't happen at scale. I'd imagine that if an intelligence service asked an agency for keymat, they'd happily provide it. I know that I wouldn't have a problem with someone from old St. Elizabeths Hospital or Fort Meade or Crystal City asking me for stuff, especially since the order to co-ooperate with DHS or NSA or the Pentagon would come through the agency's chain of command.

That said, DHS runs an intrusion prevention system called EINSTEIN, whose mission is to protect all federal civilian computer networks:

https://en.wikipedia.org/wiki/Einstein_(US-CERT_program)

Using EINSTEIN _is_ mandated by OMB, so if you're worried about the U.S. federal government snooping on your communications with the U.S. federal government, I don't know what to tell you.

brainfire9y ago

I think it's safe to assume that would be impossible to keep secret. The number of people that would need to be "in on it" is huge.

I can vouch personally that at least one civilian department doesn't do this.

EdHominem9y ago

Do you really have a policy that would survive an NSA-directed evil-sysadmin attack from any of the participants in your chain of trust? As a civilian branch of the government?

It's pretty hard to setup a system that would survive an powerful adversary who simply didn't know your passwords, have access to your safes, etc. But to then make that system hardened against a malicious insider with get-of-of-jail card?!

1 more reply

besselheim9y ago· 4 in thread

It should really be .gov.us rather than a top level domain.

profmonocle9y ago

.gov, .mil, and .edu predate the existence of country-code TLDs. They're a legacy of when the Internet was a US government funded research project.

You could argue that since the Internet has become a global commercial network, the US should no longer have these special, exclusive TLDs. But switching over would be a ton of work, and there really aren't enough downsides to the US having these domains to justify a change.

It's worth noting that .fed.us exists, although hardly any government sites us it. State/city governments often use .[state].us domains since .gov was originally restricted to the federal government, but that restriction was lifted and it's common to see .gov used for state/local governments now as well.

belovedeagle9y ago

On the other hand, if we put in that effort now we won't have to listen to people who know nothing about how the internet came to be, and are indignant and shocked that the US government should have special treatment, for the next N decades. Seems almost worth it to me...

em3rgent0rdr9y ago

I think it is a nice little historical artifact. When someone asks why, then can tell the story of the internet's creation.

konkloneOP9y ago

In fact, there are now way more state/local .gov domains (~4,000) than federal .gov domains (~1,300).

Bartweiss9y ago· 2 in thread

This is fantastic news.

It wasn't that long ago that I tried to log into a government site via my SSN, and discovered that the page didn't even permit HTTPS. I was displeased, to say the least; logging in wasn't exactly optional, so it seemed much worse than a business offering poor security.

Permitting HTTPS is obviously the first step, but security shouldn't be limited to people with the expertise to seek it out. I'm really glad to see that something as inescapable as the .gov domain will be pursuing security-by-default.

walrus019y ago

Please name and shame the httpd that's asking for plaintext SSNs... That's newsworthy and I'm sure some tech journalists will pick it up on a slow day.

Bartweiss9y ago

It was a state jobs site which has since updated to HTTPS. They still suck in a lot of ways - the required login is SSN, plus an 8-digit (numeric only) PIN. That's a laughably bad login scheme, but at least they aren't passing it in the clear.

If I do see it again, is there anything like a clearinghouse for this sort of complaint?

Godel_unicode9y ago· 2 in thread

I said something similar in a reply below, but I find it interesting that this amounts to a .Gov-wide decision that availability is always less important than confidentiality and integrity.

While that's probably valid in the main, is that always true? FEMA/NOAA spring to mind. As does IRS guidance, especially since those documents should have digital signatures themselves for an additional layer of integrity.

Was this idea part of the discussion?

konkloneOP9y ago

Bear in mind that when it comes to plain HTTP, it's not just the system's confidentiality and integrity that you need to weigh: it's the user's confidentiality and integrity. That's a larger moral responsibility, in my opinion.

These issues were already worked through for the executive branch as part of the White House HTTPS policy published in June 2015:

https://https.cio.gov/

Some rationale for "Why everything?" can be found here:

https://https.cio.gov/everything/

Personally, I'd say that plain HTTP is insecure enough, and today's internet is hostile enough, that plain HTTP provides a very weak form of "availability". It's on site operators to ensure that when their services and information is available, that it's available in a manner that doesn't subject the user to risk.

Godel_unicode9y ago

How is the user's C/I adversely affected by allowing FEMA to have a non-https subdomain for emergency alerts? That's a super easy addition to the policy: HTTPS everywhere except for GET requests to alerts.fema.gov.

I assume you know, but in case you don't, hostnames are typically outside the envelope for HTTPS. So this hypothetical GET already leaks that it's going to alerts.fema.gov. Then realize that the HTTPS cipher suites positively identified the HTTPS library being used, and packet details + origin IP leak the OS.

Edit: I'll even do you one better. Have the policy be HTTPS everywhere and HSTS everywhere but alerts.fema.gov

1 more reply

excalibur9y ago· 2 in thread

Unable to click through certificate warnings = completely inaccessible when there is an issue with certificate validation. Look at the shiny new attack surface!

konkloneOP9y ago

If there's an issue with certificate validation, the attack surface is already open.

Godel_unicode9y ago

You've forgotten that security includes availability, in addition to confidentiality and integrity. Interesting design choice for the entity which runs the emergency broadcasting system.

You're saying you'd prefer for e.g. NOAA to not be able to issue tornado warnings in order to ensure nobody can fake a tornado warning.

1 more reply

prodtorok9y ago· 2 in thread

How has this been enforced? and what about sub-domains?

konkloneOP9y ago

Subdomains generally get automatically included when a second-level domain is preloaded. So, for .gov domains that fall under scope here, their subdomains will all have HTTPS enforced by modern web browsers.

Web browsers enforce preloading by considering each domain as having HTTP Strict Transport Security (HSTS) set, and so it gets the strict treatment: only https:// connections, and no clicking through certificate warnings.

Some more detail on all this here: https://https.cio.gov/hsts/

prodtorok9y ago

I've contracted for a few of the larger agencies and that's just not true. Their DNS's can route sub-domains to several (hundreds) different sites/servers where there is no, and continues to be no, https

2 more replies

hannibalhorn9y ago· 1 in thread

From what I gather, Let's Encrypt meets the guidelines to be considered acceptable, but is not really mentioned anywhere, neither in the linked page nor on https.cio.giv - is there any feeling one way or the other on the use of Let's Encrypt for .gov?

Certainly one of the biggest headaches of the classic approach is forgetting to renew your certificate on time, a situation which Let's Encrypt effectively avoids.

konkloneOP9y ago

Let's Encrypt isn't specifically mentioned in the post, though the post hits the underlying point:

> GSA provides extensive guidance to agencies on HTTPS deployment at https.cio.gov, and encourages .gov domain owners to obtain low cost or free certificates, trusted by the general public. As a general matter, more expensive certificates do not offer more security value to service owners, and automatic deployment of free certificates can significantly improve service owners’ security posture.

This is also repeated here:

https://https.cio.gov/certificates/#what-kind-of-certificate...

Two GSA programs automate Let's Encrypt to deploy certificates on demand:

* https://www.digitalgov.gov/2016/09/07/lets-encrypt-those-cna...

* https://cloud.gov/docs/apps/custom-domains/#managed-service-...

There's also a USG amendment to the Let's Encrypt Terms of Service that GSA negotiated with them to make it easier for agencies to use it:

https://letsencrypt.org/documents/LE-US-State-Local-SA-Amend...

3pt141599y ago

If anyone works in the Canadian government and wants my input in getting the political support to make this happen in your department, I've been helping some departments understand the nature of the risks (some are even paying me as a consultant!) of MITM attacks. It's taking time, but I'm slowly seeing improvement. I can give you some tips as to how to properly communicate the importance of some of these and other measures (like getting monitors like Appcanary installed to watch for security vulnerabilities).

My email is in my profile :)

j / k navigate · click thread line to collapse

78 comments

45 comments · 10 top-level

konkloneOP9y ago· 9 in thread

Co-author of the post here, happy to answer questions. =)

This is a GSA initiative, not an 18F initiative. But 18F has a recent post detailing executive branch progress on HTTPS that may also be relevant:

https://18f.gsa.gov/2017/01/04/tracking-the-us-governments-p...

scrollaway9y ago

konkloneOP9y ago

tomschlick9y ago

Any plans to force IPv6 adoption in the same manner?

konkloneOP9y ago

IPv6 is a federal mandate for agencies: https://www.whitehouse.gov/sites/default/files/omb/assets/eg...

And NIST has a dashboard of adoption: https://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov

1 more reply

toomuchtodo9y ago

IPv6 is pretty low priority compared to comprehensive HTTPS support.

Disclaimer: Not USDS/18F, just tech professional.

2 more replies

austincheney9y ago

Does this include DOD? I suspect DOD is probably already doing this, but just wonder if they fall under the umbrella.

konkloneOP9y ago

DoD does have some .gov domains, so it would affect them in that way. But .mil is not affected.

stqism9y ago

walrus019y ago

DoD uses https and crypto at the transport layer in SIPR. Lots of "type 1" crypto as well, which is its own special thing with NSA issued hardware crypto keys.

t0mas889y ago· 7 in thread

konkloneOP9y ago

In any case, .gov won't add much to the load -- right now there are all of 5,500 .gov domains, and the rate of adding/removal is on the order of dozens every month at most.

dragonwriter9y ago

> right now there are all of 5,500 .gov domains

1 more reply

tedunangst9y ago

My browser's disk footprint is already over 100MB. What's another X MB?

The ironic thing is we're reinventing the CA system, only now each browser is its own authority, exactly the problem the CA system was trying to solve.

konkloneOP9y ago

1 more reply

hackuser9y ago

> My browser's disk footprint is already over 100MB. What's another X MB?

Don't forget mobile and other platforms, where resources are more constrained.

foota9y ago

nitrogen9y ago

cakeface9y ago· 6 in thread

noahkunin9y ago

Gov employee here (18F).

If the operative word is "sent" and "all" the likelihood is zero, as I can assert I've never sent a private key to NSA, and I've made quite a few over the past few years.

The only way to avoid this is to build zero-knowledge systems on the server side, something I hope you'll see more of in 2017.

carlosdp9y ago

I think we can pretty safely assume all information given to the government is in the hands of government agencies, one way or another.

mikeash9y ago

Would you otherwise have an expectation that your data sent to the government would be kept secret from the NSA?

xenophonf9y ago

That said, DHS runs an intrusion prevention system called EINSTEIN, whose mission is to protect all federal civilian computer networks:

https://en.wikipedia.org/wiki/Einstein_(US-CERT_program)

Using EINSTEIN _is_ mandated by OMB, so if you're worried about the U.S. federal government snooping on your communications with the U.S. federal government, I don't know what to tell you.

brainfire9y ago

I think it's safe to assume that would be impossible to keep secret. The number of people that would need to be "in on it" is huge.

I can vouch personally that at least one civilian department doesn't do this.

EdHominem9y ago

Do you really have a policy that would survive an NSA-directed evil-sysadmin attack from any of the participants in your chain of trust? As a civilian branch of the government?

1 more reply

besselheim9y ago· 4 in thread

It should really be .gov.us rather than a top level domain.

profmonocle9y ago

.gov, .mil, and .edu predate the existence of country-code TLDs. They're a legacy of when the Internet was a US government funded research project.

belovedeagle9y ago

em3rgent0rdr9y ago

I think it is a nice little historical artifact. When someone asks why, then can tell the story of the internet's creation.

konkloneOP9y ago

In fact, there are now way more state/local .gov domains (~4,000) than federal .gov domains (~1,300).

Bartweiss9y ago· 2 in thread

This is fantastic news.

walrus019y ago

Please name and shame the httpd that's asking for plaintext SSNs... That's newsworthy and I'm sure some tech journalists will pick it up on a slow day.

Bartweiss9y ago

If I do see it again, is there anything like a clearinghouse for this sort of complaint?

Godel_unicode9y ago· 2 in thread

I said something similar in a reply below, but I find it interesting that this amounts to a .Gov-wide decision that availability is always less important than confidentiality and integrity.

Was this idea part of the discussion?

konkloneOP9y ago

These issues were already worked through for the executive branch as part of the White House HTTPS policy published in June 2015:

https://https.cio.gov/

Some rationale for "Why everything?" can be found here:

https://https.cio.gov/everything/

Godel_unicode9y ago

Edit: I'll even do you one better. Have the policy be HTTPS everywhere and HSTS everywhere but alerts.fema.gov

1 more reply

excalibur9y ago· 2 in thread

Unable to click through certificate warnings = completely inaccessible when there is an issue with certificate validation. Look at the shiny new attack surface!

konkloneOP9y ago

If there's an issue with certificate validation, the attack surface is already open.

Godel_unicode9y ago

You've forgotten that security includes availability, in addition to confidentiality and integrity. Interesting design choice for the entity which runs the emergency broadcasting system.

You're saying you'd prefer for e.g. NOAA to not be able to issue tornado warnings in order to ensure nobody can fake a tornado warning.

1 more reply

prodtorok9y ago· 2 in thread

How has this been enforced? and what about sub-domains?

konkloneOP9y ago

Some more detail on all this here: https://https.cio.gov/hsts/

prodtorok9y ago

2 more replies

hannibalhorn9y ago· 1 in thread

Certainly one of the biggest headaches of the classic approach is forgetting to renew your certificate on time, a situation which Let's Encrypt effectively avoids.

konkloneOP9y ago

Let's Encrypt isn't specifically mentioned in the post, though the post hits the underlying point:

This is also repeated here:

https://https.cio.gov/certificates/#what-kind-of-certificate...

Two GSA programs automate Let's Encrypt to deploy certificates on demand:

* https://www.digitalgov.gov/2016/09/07/lets-encrypt-those-cna...

* https://cloud.gov/docs/apps/custom-domains/#managed-service-...

There's also a USG amendment to the Let's Encrypt Terms of Service that GSA negotiated with them to make it easier for agencies to use it:

https://letsencrypt.org/documents/LE-US-State-Local-SA-Amend...

3pt141599y ago

My email is in my profile :)

j / k navigate · click thread line to collapse