Do users have to submit anything sensitive on this site? Are there any forms where sensitive information could be plaintexted across the wire? I would love to know.
If it's purely static HTML files, then I see no point in switching to HTTPS just because it's the trendy, hip thing to do. Perhaps 'switching on SSL' for the sake of it is counter-productive and not needed in every case.
I can see the panic here because it's a .GOV site, but can we confirm this is just static HTML?
The site is being served over Akamai and the certificate for www.whitehouse.gov is being served by Akamai but appears the certificate does not have www.whitehouse.gov for the issued domains. Secure actions are redirected to petitions.whitehouse.gov.
It may also be possible that they have setup the frontend of the site to only serve the SSL site from certain IPs (Example from authorized site administrator networks, VPN, etc.) if the IP is not authorized redirect to http which would disable the ability for anyone to login that should not be able to login and/or require PIV certs from authorized IPs. So if you are not hitting the site from an authorized IP you can never login and if you do not have a PIV cert you can never login.
By taking a quick look around, the site is powered by Drupal, the CSS and JavaScript are compressed but the entire site(s) are served behind Akamai for the internet. It may be possible they are serving out statically compiled pages over Akamai that the internet can get to and the dynamic site might only be accessible internally, which is a good practice for large sites.
Also note if you find any weird issues you should be able to call or email the General Services Administration (GSA) who manages the .gov domains registry - https://www.dotgov.gov/portal/web/dotgov/whois if that fails or it is a security issue you can contact US-CERT - http://www.dhs.gov/report-incidents#2 / https://www.us-cert.gov/ which is apart of the Department of Homeland security which appear to be responsible for protecting the networks of the .gov domains or centralizing the reports of security issues for the .gov domains.
I ran HTTP Nowhere for a while. I don't know what I was supposed to expect, but I was rather shocked by the number of expired and invalid HTTPS certificates. Akamai serving secure sites was a pretty common failure mode.
3 comments
[ 2.5 ms ] story [ 39.6 ms ] threadIf it's purely static HTML files, then I see no point in switching to HTTPS just because it's the trendy, hip thing to do. Perhaps 'switching on SSL' for the sake of it is counter-productive and not needed in every case.
I can see the panic here because it's a .GOV site, but can we confirm this is just static HTML?
It may also be possible that they have setup the frontend of the site to only serve the SSL site from certain IPs (Example from authorized site administrator networks, VPN, etc.) if the IP is not authorized redirect to http which would disable the ability for anyone to login that should not be able to login and/or require PIV certs from authorized IPs. So if you are not hitting the site from an authorized IP you can never login and if you do not have a PIV cert you can never login.
By taking a quick look around, the site is powered by Drupal, the CSS and JavaScript are compressed but the entire site(s) are served behind Akamai for the internet. It may be possible they are serving out statically compiled pages over Akamai that the internet can get to and the dynamic site might only be accessible internally, which is a good practice for large sites.
Also note if you find any weird issues you should be able to call or email the General Services Administration (GSA) who manages the .gov domains registry - https://www.dotgov.gov/portal/web/dotgov/whois if that fails or it is a security issue you can contact US-CERT - http://www.dhs.gov/report-incidents#2 / https://www.us-cert.gov/ which is apart of the Department of Homeland security which appear to be responsible for protecting the networks of the .gov domains or centralizing the reports of security issues for the .gov domains.