Pixel Envy

Written by Nick Heer.

U.S. Government Websites Give Bad Security Advice

Brian Krebs:

Many U.S. government Web sites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages. Unfortunately, part of that message is misleading and may help perpetuate a popular misunderstanding about Web site security and trust that phishers have been exploiting for years now.

[…]

The text I have a beef with is the bit on the right, beneath the “This site is secure” statement. Specifically, it says, “The https:// ensures that you are connecting to the official website….”

Here’s the deal: The https:// part of an address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and cannot be read by third parties.

However, the presence of “https://” or a padlock in the browser address bar does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

This is probably obvious to technically-literate readers like yourself, but I think this poor advice would make sense to many people. It’s exacerbated by browsers’ interfaces that emphasize the difference between HTTP and HTTPS connections. Visiting scripting.com, a staunch HTTP-only website, in Chrome and Safari will show a “Not Secure” badge in the address field. Visiting my HTTPS site, on the other hand, will show a nice little padlock instead that, when clicked in either browser, indicates that the connection is “secure” and “encrypted”.

Krebs:

Other federal sites — like dhs.gov, irs.gov and epa.gov — simply have the “An official website of the United States government” declaration at the top, without offering any tips about how to feel better about that statement.

There’s nothing preventing just anyone from claiming that they, too, operate an “official website of the United States government”. It is not helped by the U.S. government’s mixed use of .gov, .mil, .us, and .org domains, not to mention the many GitHub demos I found. Conversely, there are plenty of official U.S. government websites that do not display that notice: the FAA, OSHA, the Small Business Administration, and Recreation.gov, to name just a few.

Finally, I can’t work out why there are three different domains associated with the census: census.gov is fine, but 2020census.gov is kind of sketchy looking, and my2020census.gov — the actual website of the survey — is very sketchy looking. None of those websites share the same design language, and only the survey URL has the aforementioned “official website” notice. What a mess.

Update: It was possible to upload just about any file to fcc.gov as late as 2017, a capability which was predictably abused.