President Trump is Demanding Web Server Security For All New Federal .gov Websites
How much security do we actually get from a “secure” website via HTTPS? Not much, as it turns out. Today Craig talks about the history behind this executive order and what “secure server” really means.
Craig also tells you how you can establish your own HTTPS Secure Server for free! That’s right, there are actual free-for-life SSL certificates you can use for your business or community organization. 🙂
All new executive branch .gov domains will ditch HTTP, enforce HTTPS
More stories and tech updates at:
Don’t miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text:
Below is a rush transcript of this segment, it might contain errors.
Airing date: 01/24/2017
Trump Demanding Security on All New Gov Websites – How You Can Do the Same for Free for Your Website
Craig Peterson: Hi, Craig Peterson here. Your Tech Talk expert. We’re going to talk about tech right now. The executive branch. Of course you’ve got Trump in power now and he has ordered them to do something I think every business should do. Now I also think that a couple of the different guys out there like TechCrunch got some of the stuff wrong on this story. So we’re going to talk about this today. Should you trust secure sites? Should you have a secure site? And did you know there’s a way or right now for you to have a secure site without having to pay a dime. Absolutely free. Big move and a foot. So we’re gonna talk about this right now.
You know, we’ve talked a lot before about security. A lot of people don’t really understand what that little lock means. You know, up in the corner of the screen when you’re on your web browser. Right up there on the URL line. There’s a lock that indicates HTTPS. Now, this a protocol that’s been around for quite a while. It’s based on SSL. There have been some security problems with it. Heartbleed and all. But SSL is a secure sockets layer and that’s what you use when you’re going to a website, like a bank site, that’s trying to keep your information secure. Now historically that SSL certificate that’s used by the website has been signed by a trusted authority. What that means is the bank went to one of these certificate granting institutions, paid them hundreds of dollars per year for them to say yes indeed this is the bank. Now we know already and that the NSA has hacked some of these sites. You can use what’s called a man-in-the-middle attack where you’re trying to connect to a secure site, there’s someone in the middle and the federal government has keys for a few of these kind of, root if you will, these main certificate issuers so they can pretend that everything’s is legit and wonderful and funky hunky-dory, right? Everything’s great.
So that’s part of what they get wrong here in the media. TechCrunch’s article saying that, you know, you use an HGPS site so you can rest assured that the website that you think you’re talking to is indeed the site you’re talking to. And my response to that is no, you cannot rest assured about it. You really don’t know. You suspect that it’s the site you think it’s probably this site but you don’t know it’s the site. And there’s good reason for that as I said that they hack these things all the time. And you don’t know if the issuer, certificate issuer really did their due diligence. You don’t really know if maybe the web server that did the SSL session has been compromised. You know, ok, great. You’ve got a certificate, it matches the URL you’ve gone to, but at that point is it good enough really? What do you want from security? Well people think that security in these SSL certificates, on the “secure websites”, goes all the way through, right? You can give your credit card information to an HGPS site, right? If it has a little lock there, you know your credit card information’s secure. You know your social security number you just gave them is secure, right? Wrong. It doesn’t provide any of that sort of protection. Not at all. The only protection it’s providing you with is that the data is encrypted from your computer to somewhere else. And we don’t know where that somewhere else is as I was just saying.
So what’s the reasoning behind this? What’s the real purpose? Well in fact I’ve started moving all of my clients over to HGPS and I’ve been trying to do this for at least, well since the protocol came out. I don’t know how long that was ago, decade ago. A very, very long time ago. But most of them pushed back because getting a signed SSL certificate has been expensive and it’s been quite a bit of a problem. So they said listen, is not worth 300 bucks, 500 bucks to me to get this certificate. Now a days there’s an alternative and it’s called Letsencrypt and that’s what I’ve started using and I’m putting
it up on my sites as well. And we’re moving the Craig Peterson site to a different server so that we can do a little bit more on the security side too. But, you know, Letsencrypt have a look at that project. They will sign anybody’s certificate. And then they have some things in place to help make sure you are who you say you are but it’s not exhaustive. And frankly, the type of checking that these certificate authorities have been using over the years isn’t that exhaustive either. But what it is doing is encrypting your data and that’s the most important part, right?
So your data while in transit can’t be grabbed by the bad guys. Can’t be grabbed by someone who’s trying to listen in, and then decrypt it, at least not easily. Not readily. So have a look at that. If you have a website and you want to have a little bit of security on it, you’re not conducting a lot of major financial transactions, you just want people to be able to keep their information safe. You know, maybe you’re there apply for a job with you at your company and they’re doing it from a work computer. They don’t want their boss to see what it is they’re doing. You know they might see that you went to the website but other than that, they’re not going to have any clue what you did on that website. None at all. You could be a hiring manager for your company and they wouldn’t know if you’re trying to hire or fire or get a job yourself, right? None of that information would be apparent.
So HTTPS is very, very important. And president Trump one of the first things he did here is said all new executive branch, .gov domains, are going to have to be HTTPS. They’re going to have to use SSL. They’re gonna have to have signed certificates. And of course in the case of the federal government it’s a lot easier and cheaper for them to do it coz they don’t have to use the same certificate authorities we do. But, you know, bottom line and by the way the prices gone down a couple hundred bucks now. But the bottom line is it’s all going to be encrypted. That’s a very good thing. And that’s going to help us all out, a little bit anyways, with security.
So that’s it for today. A little TechSanity Check. Once again I disagreed with TechCrunch. You know Taylor Hatmaker, probably great guy who wrote this article. I have no idea. Or maybe it’s a gal. Taylor could go either way, right? But I think they’re missing some points here but I guess that’s also what I get for being on the internet now for, well since 1981. So I’ll let you do the math. A very long time. We got a lot to talk about but I don’t have time today. I got to hop on an airplane going to help a whole chain here of these pain clinics with some of their security issues on networks. We’re rebuilding the networks and everything for them. So, I gotta run and I will talk to you later. Go online http://CraigPeterson.com. Get a little bit more up-to-date information from me, Craig Peterson, the Tech Talk security expert. Take care.
Don’t miss any episode from Craig. Visit http://CraigPeterson.com/itunes Subscribe and give us a rating!
Thanks, everyone, for listening and sharing our podcasts. We’re really hitting it out of the park. This will be a great year!