Some websites, including one secured by the U.S. Department of Homeland Security, fail in their use of security certificates and break the chains of trust.
Security certificates are designed to authenticate hosts. Browsers have become pretty good about understanding chains of authorities, and making users accept the risk when websites can’t prove the chain of authorities needed to verify they are who they say they are.
Sites masquerading as legitimate sites, however, employ sad little tricks, such as “punycode”—URL links embedded in otherwise official-looking phishing emails. These tricks are malicious. There are also sites that should be well-administrated but are not.
Then there are sites, important sites, that botch their own security with certificates ostensibly granted by places such as the U.S. Department of Homeland Security (DHS).
My case in point is a website that explains the U.S. Safety Act. The Act speaks to the practice of offering legal liability protection for products or services that have been certified for anti-terrorism protection.
Any legitimate browser at the moment of this writing, will block you from that site and warn you that the chain of authorities needed to vet the site as protected by SSL/TLS does not exist. The site is untrusted.
As of this writing, this is the security certificate warning you receive when you go to the U.S. Safety Act website.
A quick trip to DigiCert’s SSL testing site currently reveals that the certificate isn’t signed by a trusted authority despite the fact that the rest of the certificate, which is managed by the DHS, is correct in its implementation.
I do not know if DHS or a contractor enabled the site. I do not know who wrote the site or negotiated its DNS listing. I do not know the authors of the site’s content.
I do know that if someone tested it, they should know instantly that there’s a trust problem with the site and to report it to the salient fixer of such a problem. And if it wasn’t tested, I would not be surprised.
I would be embarrassed to be a security researcher in a country that doesn’t automatically test the veracity of their security infrastructure so frequently that this would appear as a super-red flag.
And I would be embarrassed that after the first time I found this, three weeks ago, that it still wasn’t fixed today.
Is there anybody awake at the guardhouse?