Fwd: [Cryptography] Shaming sites that send sensitive information over HTTP
---------- Forwarded message ---------- From: Jerry Leichter <leichter@lrw.com> Date: Fri, Sep 19, 2014 at 12:03 PM To: Cryptography <cryptography@metzdowd.com> My favorite: The NSA's web site *redirects HTTPS to HTTP*. Some kind of back-handed acknowledgement of what they do? http://httpshaming.tumblr.com
grarpamp <grarpamp@gmail.com> forwarded:
My favorite: The NSA's web site *redirects HTTPS to HTTP*. Some kind of back-handed acknowledgement of what they do?
My guess is that it's politically-motivated, if you're the NSA would you want to buy your certs from a commercial CA, and if you're a commercial CA would you want to be known as the supplier of trusted certs to the NSA? Peter.
On 9/19/2014 18:58, Peter Gutmann wrote:
grarpamp <grarpamp@gmail.com> forwarded:
My favorite: The NSA's web site *redirects HTTPS to HTTP*. Some kind of back-handed acknowledgement of what they do?
My guess is that it's politically-motivated, if you're the NSA would you want to buy your certs from a commercial CA, and if you're a commercial CA would you want to be known as the supplier of trusted certs to the NSA?
Peter.
When I go to www.nsa.gov, I do not get a redirect to HTTP. HTTPS with a cert provided by GeoTrust is what I get. -- staticsafe https://staticsafe.ca
On 9/19/14, staticsafe <me@staticsafe.ca> wrote:
... When I go to www.nsa.gov, I do not get a redirect to HTTP. HTTPS with a cert provided by GeoTrust is what I get.
well, at least we know they're listening to customer feedback! ;) [this did indeed change in the interim period, due to server side configuration.]
participants (4)
-
coderman -
grarpamp -
Peter Gutmann -
staticsafe