White House struggles with web security

US house of repsThe United States government chief information office has published a set of technical guidelines that say the administration’s many different websites should use the encrypted HTTPS only.

In a better late than never move, the US government CIO Tony Scott – requires that “all publicly accessible federal websites and web services only provide service through a secure connection”.

“All browsing activity should be considered private and sensitive,” Scott wrote.

The standard hypertext transport protocol transmits data in clear text only. This makes users browsing on government websites vulnerable to interception and alteration of data, as well as privacy violations.

But it appears that some of the White House’s other chickens have come home to roost.

Correctly configuring HTTPS with digital certificates is notoriously difficult to do right and the White House is stuck because it has not really implemented SSL/TLS properly.
iTnews  found the sites link to digital certificates with weak security configuration using Secure Hash Algorithm-1 signatures.

SHA-1 was designed by the US National Security Agency (NSA) and been considered outdated and easy to crack for ages. This was because in 2012, LinkedIn suffered a large-scale data breach that saw attackers dump almost 6.5 million usernames and passwords, the latter encrypted with SHA-1 which made it a doddle to decrypt.

The whole move is also ironic because IT industry giants are fuming at the Obama’s proposed backdoors in encryption which would mean that his own site should have back doors.