HN

Need help?
<- Back
Cyber.mil serving file downloads using TLS certificate which expired 3 days ago

Cyber.mil serving file downloads using TLS certificate which expired 3 days ago

Eduard

Comments (147)

  • amluto
    This is kind of amazing. I'm suspicious that the site operator has absolutely no idea what they're doing.> DoD Cyber Exchange site is undergoing a TSSL Certification renewalI'm imagining someone searching around for a consulting or testing company that will help them get a personal TSSL Certification, whatever that is (a quick search suggests that it does not exist, as one would expect). And perhaps they have no idea what TLS is or how any modern WebPKI works, which is extra amazing, since cyber.mil is apparently a government PKI provider (see the top bar).Of course, the DoD realized that their whole web certificate system was incompatible with ordinary browsers and they wrote a memo (which you have to click past the certificate error to read):https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/pdf/uncl...saying that, through February 2024, unclassified DoD sites are permitted to use ordinary commercial CAs.If the DoD were remotely competent at this sort of thing, they would (a) have CAA records (because their written policy does nothing whatsoever to tell the CA/B-compliant CAs of the world not to issue .mil certificates, (b) run their own intermediate CA that had a signature from a root CA (or was even a root CA itself), and (c) use automatically-renewed short-lived certificates for the actual websites.cyber.mil currently uses IdenTrust, which claims to be DoD approved. They also, ahem, claim to support ACME:> In support of the broader CA community, IdenTrust—through HID and the acquisition of ZeroSSL—actively contributes to the development and maintenance of major open-source ACME clients, including Caddy Server and ACME.sh. These efforts help promote accessibility, interoperability, and automation in certificate management.Err... does that mean that they actually support ACME on their DoD-approved certificates or does that mean that they bought some companies that participate in the ACME ecosystem? (ACME is not amazing except in contrast to what came before and as an exercise in getting something reasonable deployed in a very stodgy ecosystem, but ACME plus a well-designed DNS-01 implementation plus CAA can be very secure.)The offending certificate is: Certificate: Data: Version: 3 (0x2) Serial Number: 40:01:95:b4:87:b3:a3:a9:12:e0:d7:21:f8:b3:91:61 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=IdenTrust, OU=TrustID Server, CN=TrustID Server CA O1 Validity Not Before: Mar 20 17:09:07 2025 GMT Not After : Mar 20 17:08:07 2026 GMT Subject: C=US, ST=Maryland, L=Fort Meade, O=DEFENSE INFORMATION SYSTEMS AGENCY, CN=public.cyber.mil At least the site uses TLS 1.3.
  • 0xbadcafebee
    > Users on civilian network can continue downloads through the Advance tab in the error message.They are literally telling users to click through the browser errors about the bad cert. They don't mention that there is a very specific error they should be looking for (expired cert). This gives any MITMer the opportunity right now to replace downloaded executables with malware-laden ones using nothing more than a self-signed cert and a proxy. You can bet your boots China, NK, Iran, Russia are all having a good laugh. Biggest military in the world and they can't get a web server working.
  • nik282000
    TD bank, in Canada, has had their cert expire several times in the past 10 years.It blows me away that a bank can't afford to do for themselves what Certbot and Lets Encrypt does for me, for free.Like, pay a guy a whole week to automate this and it will save you the 12hrs losses every time your cert expires.
  • petcat
    Is there anything inherently insecure about an expired cert other than your browser just complaining about it?
  • bilekas
    > DoD Cyber Exchange site is undergoing a TSSL Certification renewalTSSL renewal does not cause downtime.. If it's actually done of course.
  • yesod
    So it looks like a new cert was issued back in February, but they've not deployed it yet (https://bgp.he.net/certs#_SearchTab?q=www.public.cyber.mil)
  • kevincloudsec
    telling users on a cybersecurity website to click past certificate warnings is training them to do the exact thing every security awareness program says never to do. DISA runs the security standards that every defense contractor has to comply with...
  • driftnet
    Inexcusable but should clarify that cyber.mil and public.cyber.mil are actually different things. Most people downloading from the site are not using public.cyber.mil, so maybe they care less? This is still one of those highly-visible things that is going to bring down the heat quickly, so it's just dumb to let it happen.
  • supermatt
    Clearly this is some advanced cyber-warfare technique intended to cause adversaries tools to fail with an "expired certificate" error...
  • tuwtuwtuwtuw
    > Users on civilian network can continue downloads through the Advance tab in the error message.Good stuff.
  • jeroenhd
    For some reason the warning icon is huge on my phone.Someone please verify that the exclamation point inside of the warning icon has always been gold and that this website's design hasn't fallen victim to Trump's dragon-like gold hoarding obsession.
  • stephbook
    iOS Safari. I see a yellow banner, the navigation bar and the rest of the screen is just a warning sign image.Is there more..?Checked on Chrome too, I see nothing.iOS Chrome
  • qcautomation
    [dead]
  • dmitrygr
    So what? They keep shortening the validity length of these certificates, making them more and more of a pain to deal with.