from Hacker News

Open source collaboration across agencies to improve HTTPS deployment

by konklone on 1/6/17, 7:53 PM with 19 comments

  • by bertil on 1/7/17, 4:34 AM

    This is a very small detail in that post but it captures quite well what officialdom is to me, what separates GSA and 18F from other digital efforts: the inclusion of the “tribal” scale in the list of levels of authority. 18F makes things so that many people can use the Internet including, explicitly, the administration of First Nations.

    I’ve complained a lot about how US-based company do not thing about non-US users enough (that common rant is obviously not applicable to GSA, although American abroad, immigrants and foreign visitors probably quality) but in that rant, I have forgotten the original Americans. Shame on me. I have never heard of any start-up asking “What about First Nations? Do we support Cherokee alphabet? Is there a Sioux exception for the law that we are enforcing in that form?”

  • by garrettr_ on 1/6/17, 9:20 PM

    pshtt (the HTTPS scanning tool) also powers the results for Freedom of the Press Foundation's recently launched Secure The News project: https://securethe.news. (Full disclosure: I work for FPF, and worked on Secure the News).

    It's a promising project, and could use more contributors if anyone here is interested: https://github.com/dhs-ncats/pshtt/issues for ideas!

  • by discreditable on 1/6/17, 10:13 PM

    I was happy to notice not long ago that apod.nasa.gov is now served over HTTPS with a Let's Encrypt certificate. Even OP link is!

  • by alpb on 1/6/17, 10:20 PM

    One thing I noticed going through the list linked in the page is, many of these .gov pages host _both_ www and no-www versions, making them essentially two different websites with the same content. Example: http://abilityone.gov/ and http://www.abilityone.gov/ It looks like the clear guidelines around this is something missing. I know of certain countries whose .gov domains are almost 99% www and they don’t serve no-www at all.

  • by randomdrake on 1/6/17, 9:07 PM

    Thanks for the work that you're doing on this and answering questions. I had never seen many of the neat things mentioned in the blog post.

    While the article did a good job explaining how pshtt works and how it generates data for the reporting, it didn't dive too much into the scanning itself. Since this is posted on Hacker News, I'd love to hear more about the nitty gritty of the data collection itself.

    Can you talk about what sort of setup you run, and what sort of technical and interdepartmental challenges you run into scanning, storing, and obtaining data for 1,143 government websites?

  • by ycmbntrthrwaway on 1/6/17, 11:59 PM

    I like it how https://pulse.cio.gov/ does not work because its certificate is issued for cloudfront.net

  • by hmft on 1/6/17, 8:18 PM

    Heyo, ^ blogger here. Happy to chat.

  • by DyslexicAtheist on 1/7/17, 11:40 AM

    this combines some really important checks. I might be able to remove my .bashrc hack ...

      function certchain() {
      # Usage: certchain
      # Display PKI chain-of-trust for a given domain
      # GistID: https://gist.github.com/joshenders/cda916797665de69ebcd
      if [[ "$#" -ne 1 ]]; then
          echo "Usage: ${FUNCNAME} <ip|domain[:port]>"
          return 1
      fi

      local host_port="$1"

      if [[ "$1" != *:* ]]; then
          local host_port="${1}:443"
      fi

      openssl s_client -connect "${host_port}" </dev/null 2>/dev/null | grep -E '\ (s|i):'
  }

  • by eeZah7Ux on 1/6/17, 9:13 PM

    How mature is pshtt?