Skip to main content

State Department Invalid SSL Certificate

There's been some buzz recently about Hillary Clinton using a personal email server for official state business. The Wired piece is an interesting read:

http://www.wired.com/2015/03/clintons-email-server-vulnerable/

Probably the most surprising thing in the article for me is not about Hillary's email server at all. In discussing Hillary's invalid SSL certificate, the article casually mentions that the State Department uses a self-signed certificate, implying that their email could be compromised by a man-in-the-middle attack similar to what could target Hillary's email server. Here's a link that illustrates the invalid certificate:

https://www.state.gov/

At time of writing, the certificate belongs to Akamei, and not not to the State Department. The certificate was issued by Cybertrust and will expire in June 2015.

Does this imply that the State Department's email could be compromised? Probably not. It's unlikely they are using this certificate for their email servers - it's more likely that this is an unintentional misconfiguration of their CDN impacting only their public-facing website. That's a much smaller security issue than implied in the article.
Labels:

Comments

Post a Comment

Popular posts from this blog

ReactJS, NPM and Maven

I'm just starting to get into working with ReactJS, Facebook's open source rendering framework. My project uses SpringBoot for annotation-driven dependency injection and MVC. I thought it would be great if I could use a bit of ReactJS to enhance the application. If you're looking for a basic conceptual intro, I recommend ReactJS for Stupid People and of course the official documentation  is quite good. In full disclosure, I still have no idea how to do "flux" yet. As an experienced Java backend developer, I'm pretty decent at hacking Maven builds - which is precisely what this blog post is going to be about. First, a word about how React likes to be built. Like many front-end tools, there is a toolkit for the node package manager (NPM). From the command prompt, one might run npm install -g react-tools  which installs the jsx command. The  jsx  command provides the ability to transform JSX syntax into ordinary JavaScript, which is precisely what I want...
21 comments
Read more

Cryptic Facebook Message

Facebook OAuth2 is a feature I frequently integrate, but sometimes its error messages can be downright opaque. In particular I keep on forgetting to associate my Facebook account on applications where Sandbox Mode is enabled. The error message in this case is the following: Sorry, this feature isn't available right now: An error occurred while processing this request. Please try again later. This message is super cryptic, since what I usually need to do is to register my account as a tester or admin on the Facebook application page. If you get this error message here are the steps to fix it: As an application administrator, go to the OAuth2 configuration page for the application in Facebook. Add the Facebook account as an admin or tester on the "edit roles" screen. This will send an application request to that account. As the added account, accept the application request to become an admin or tester. At this point the Facebook login should work for the accou...
1 comment
Read more

Generating a Self-Signed SSL Certificate

I recently switched some web services to use SSL, and I was surprised that I couldn't find a good non-interactive script to generate the files needed for Jetty and other Java containers. After working my way through writing the script, I have decided to share my approach. This script generates a SSL subdirectory of whatever folder it lives in, and to that directory it adds a password file, certificate and a Java-friendly PKCS12 version of the certificate. And then I have my Maven build process copy the generated files into the base of my classes directory. The embedded Jetty instance needed an input stream of the PKCS12 file and the contents of the password file to create a SSL connector. Reading from the classpath can be a bit tricky - I should post about that later. From past experience, I think Nginx also requires the certificate file when configuring SSL.
Post a Comment
Read more