33 Years of the Digest ... founded August 21, 1981Copyright © 2015 E. William Horne. All Rights Reserved.The Telecom Digest for Feb 4, 2015
| ||||||||||
| All the lessons of history and experience must be lost upon us if we are content to trust alone to the peculiar advantages we happen to possess. - Martin Van Buren |
See the bottom of this issue for subscription and archive details.
| Date: 3 Feb 2015 15:22:26 -0000 From: "John Levine" <johnl@iecc.com> To: telecomdigestsubmissions.remove-this@and-this-too.telecom-digest.org. Subject: Re: Security problem at Whitehouse website Message-ID: <20150203152226.17286.qmail@ary.lan> >I've confirmed this with several different machines, different >Operating Systems, and multiple locations. It's a real problem, and >has been going on for at least fourteen hours. > >The site is at >https://www.whitehouse.gov/ >. The wrong cert is from Akamai, a provider that many (most?) busy web sites use to spead out the load so they respond faster. The SSL cert problem is a longstanding issue and they're painfully aware of it. R's, John ***** Moderator's Note ***** I don't care if they're aware of it. I care that they're allowing the site to remain online without fixing it. Good grief - it's the damned White House website! Are the people in charge of the President's public image so inured to imcompetence in the civil service that they think it's OK to expect taxpayers to ignore warnings about possible man-in-the-middle attacks? Twenty-six hours, and counting. Bill Horne Moderator |
| Date: Tue, 03 Feb 2015 14:36:45 -0600 From: GlowingBlueMist <GlowingBlueMist@blackhole.io> To: telecomdigestsubmissions.remove-this@and-this-too.telecom-digest.org. Subject: Re: Security problem at Whitehouse website Message-ID: <marbhc$1oi$1@dont-email.me> On 2/3/2015 9:22 AM, John Levine wrote: >> I've confirmed this with several different machines, different >> Operating Systems, and multiple locations. It's a real problem, and >> has been going on for at least fourteen hours. >> >> The site is at >> https://www.whitehouse.gov/ >> . > > The wrong cert is from Akamai, a provider that many (most?) busy web sites > use to spead out the load so they respond faster. The SSL cert problem is > a longstanding issue and they're painfully aware of it. > > R's, > John > > ***** Moderator's Note ***** > > I don't care if they're aware of it. I care that they're allowing > the site to remain online without fixing it. > > Good grief - it's the damned White House website! Are the people in > charge of the President's public image so inured to imcompetence in > the civil service that they think it's OK to expect taxpayers to > ignore warnings about possible man-in-the-middle attacks? > > Twenty-six hours, and counting. > > Bill Horne > Moderator Most likely they are using the same incompetent website engineers that tried writing the Obamacare web site. I can see it now, a large board room filled with political hacks, and the decision is... Move them over to the White House project so we can use the "national security" blanket to keep them away from the media. |
| Date: 3 Feb 2015 17:02:32 -0000 From: "John Levine" <johnl@iecc.com> To: telecomdigestsubmissions.remove-this@and-this-too.telecom-digest.org. Subject: Re: Security problem at Whitehouse website Message-ID: <20150203170232.17567.qmail@ary.lan> >I don't care if they're aware of it. I care that they're allowing >the site to remain online without fixing it. If there were a straightforward fix, they'd fix it. If you click through the browser warnings, you end up at the non-SSL whitehouse.gov which is also hosted at Akamai but your browser doesn't complain. R's, John ***** Moderator's Note ***** They don't need to fix it: the White House can simply order Akamai to turn off https access. It is a public website, intended to distribute (I hope) public information. I wouldn't be offended by a message saying "Whitehouse.gov is optimized for quick response, so https is not supported": I only came across it by accident, after I typed the domain name while already on a secure site. However, if the website responds, I think I'm entitled to have it work properly. This is not a technical problem: it's a political one. Someone is sending a message that they don't care if the President's statements get through to the electorate. Bill Horne Moderator |
| Date: 4 Feb 2015 01:14:50 -0000 From: "John Levine" <johnl@iecc.com> To: telecomdigestsubmissions.remove-this@and-this-too.telecom-digest.org. Subject: Re: Security problem at Whitehouse website Message-ID: <20150204011450.18669.qmail@ary.lan> John Levine wrote: >> If there were a straightforward fix, they'd fix it. ... Telecom Digest Moderator wrote: > They don't need to fix it: the White House can simply order Akamai > to turn off https access. ... As I said, if there were a straightforward fix, they'd fix it. Akamai serves up pages to many thousands of different customers of which the White House is only one. Some are OK with the SSL issue, some are not, but it's all one server farm. Anyone who's familiar with the large scale Internet knows about this issue. There are long term fixes using something called SNI, but getting all of the configuration and certficates set up is a challenge. R's, John ***** Moderator's Note ***** John, Leaving aside the fact that Server Name Indication (SNI) "was added to the IETF's Internet RFCs in June 2003"(1), I'm starting to wonder if you and I have been plugging holes in these dams for so long that we've forgotten laymen still think that cracks in a dam are serious! I'll state my concern another way: there are different definitions of proper performance when dealing with a website that is so closely associated with the President of the United States. As far as I'm concerned, allowing whitehouse.gov to appear to be broken is as bad, if not worse, than doing nothing while it is broken, which is the current situation, as of 03:07 UTC on February 4. I voted for the President. I have no wish to undercut his agenda or demean his achievements. I am asking that someone with a friend in the WHCA make a phone call and make them aware of this issue. If I don't point it out, then John Boehner et al certainly will, and I'd bet that the Speaker will work in some clever questions about the "security" of the codes in the black bag which follows the President wherever he goes. If it looks wrong, it is wrong. That's life in the media bubble. 1. http://en.wikipedia.org/wiki/Server_Name_Indication Bill Horne Moderator |
TELECOM Digest is an electronic journal devoted mostly to telecom- munications topics. It is circulated anywhere there is email, in addition to Usenet, where it appears as the moderated newsgroup 'comp.dcom.telecom'.
TELECOM Digest is a not-for-profit educational service offered to the Internet by Bill Horne.
The Telecom Digest is moderated by Bill Horne.
| Contact information: |
Bill Horne Telecom Digest 43 Deerfield Road Sharon MA 02067-2301 339-364-8487 bill at horne dot net |
| Subscribe: | telecom-request@telecom-digest.org?body=subscribe telecom |
| Unsubscribe: | telecom-request@telecom-digest.org?body=unsubscribe telecom |
This Digest is the oldest continuing e-journal about telecomm- unications on the Internet, having been founded in August, 1981 and published continuously since then. Our archives are available for your review/research. We believe we are the oldest e-zine/mailing list on the internet in any category! URL information: http://telecom-digest.org Copyright © 2015 E. William Horne. All rights reserved.
Finally, the Digest is funded by gifts from generous readers such as yourself. Thank you!
All opinions expressed herein are deemed to be those of the author. Any organizations listed are for identification purposes only and messages should not be considered any official expression by the organization.