Aug 23 2013

Print this Post

untrusted dod certificate

Chris Williams over at El Reg posted a nice article about the kind of crypto best practice you need to follow if you care about privacy. The article questions the wisdom of using David Miranda as what Williams calls a “data mule” to carry physical electronic media (possibly) containing sensitive data through Heathrow and goes on to explain how all of that could have been avoided.

Williams explains the use of the free, open source, cryptographic toolset GPG and suggests that a “cautious” user is advised to:

“generate a Diffie-Hellman/DSS (or RSA if you’re paranoid) key pair that’s 4,096 bits in length, set to expire in one year (or less if you’re planning a short whistle-blowing career), using AES-256 as the encryption cipher and SHA-2-512 as the hash function.”

He points out that the AES-256 cypher is recommended in NSA’s own advice (warning – PDF) on the use of public crypto algorithms.

When following that link, I was delighted to discover that it leads to a server at CNSS which uses an untrusted SSL certificate. My browser (firefox) dutifully popped up the warning:

“Could not verify this certificate because the issuer is not trusted.”

(The site also insists that you allow cookies, but hey.)


Of course the certificate is not valid because it was generated for a server in a different domain (www.ioss.gov, not www.cnss.gov) and I am perfectly prepared to believe that this is simply administrative cockup, but the message that a US DoD site cannot be trusted is just wonderfully apt at the moment.

(As an aside, I too find it bizarre that Miranda should have apparently been carrying any “Snowden related” material through Heathrow. But since the Guardian has gone to the trouble, and expense of a) paying for Miranda’s trip, and b) paying for legal attempts to injunct HMG use of the material seized, I assume that to be the case. Now why Miranda should have agreed to that, or Greenwald permitted/encouraged him to do so is beyond me. I cannot imagine a scenario where I would be asking my wife to attempt to smuggle material which I knew would be of such immense interest to HMG. A discussion with my wife about this confirmed to me that my assumption about her likely reaction to such a request was correct. Her reply was short, and blunt.)

Permanent link to this article: http://baldric.net/2013/08/23/untrusted-dod-certificate/