Skip to main content

State Department Invalid SSL Certificate

There's been some buzz recently about Hillary Clinton using a personal email server for official state business. The Wired piece is an interesting read:

http://www.wired.com/2015/03/clintons-email-server-vulnerable/

Probably the most surprising thing in the article for me is not about Hillary's email server at all. In discussing Hillary's invalid SSL certificate, the article casually mentions that the State Department uses a self-signed certificate, implying that their email could be compromised by a man-in-the-middle attack similar to what could target Hillary's email server. Here's a link that illustrates the invalid certificate:

https://www.state.gov/

At time of writing, the certificate belongs to Akamei, and not not to the State Department. The certificate was issued by Cybertrust and will expire in June 2015.

Does this imply that the State Department's email could be compromised? Probably not. It's unlikely they are using this certificate for their email servers - it's more likely that this is an unintentional misconfiguration of their CDN impacting only their public-facing website. That's a much smaller security issue than implied in the article.
Labels:

Comments

Post a Comment

Popular posts from this blog

ReactJS, NPM and Maven

I'm just starting to get into working with ReactJS, Facebook's open source rendering framework. My project uses SpringBoot for annotation-driven dependency injection and MVC. I thought it would be great if I could use a bit of ReactJS to enhance the application. If you're looking for a basic conceptual intro, I recommend ReactJS for Stupid People and of course the official documentation  is quite good. In full disclosure, I still have no idea how to do "flux" yet. As an experienced Java backend developer, I'm pretty decent at hacking Maven builds - which is precisely what this blog post is going to be about. First, a word about how React likes to be built. Like many front-end tools, there is a toolkit for the node package manager (NPM). From the command prompt, one might run npm install -g react-tools  which installs the jsx command. The  jsx  command provides the ability to transform JSX syntax into ordinary JavaScript, which is precisely what I want...
20 comments
Read more

Solved: Unable to Locate Spring Namespace Handler

I attempted to run a Spring WebMVC application, and when starting up the application complained that it didn't know how to handle the MVC namespace in my XML configuration. The project runs JDK 7 and Spring 4.0.6 using Maven as the build system. The following is my XML configuration file: <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"        xmlns:mvc="http://www.springframework.org/schema/mvc"        xsi:schemaLocation="         http://www.springframework.org/schema/beans         http://www.springframework.org/schema/beans/spring-beans.xsd         http://www.springframework.org/schema/mvc         http://www.springframework.org/schema/mvc/spring-mvc.xsd">          <mvc:annotation-driven/> ...
1 comment
Read more

Spark Cassandra Connector Tip

We're using Databricks as our provider for Spark execution, and we've been struggling to get the Spark Cassandra connector to work outside of the local development environment. The connector was attempting to connect to 127.0.0.1 even though we were passing the new host information into the getOrCreate(..) call. After working with Ganesh at Databricks support, we figured it out. The realization is that in Databricks, calls to getOrCreate() from a fat jar don't create a new SparkContext object. Thus, the configuration passed in gets ignored. If you want to update the Cassandra host information for the connector, you must update it after  the call to getOrCreate() instead. Add the configuration directly to the context and you'll be good to go!
Post a Comment
Read more