2013-04-19

The White House is insecure!

The online version, anyway. If you attempt to visit https://www.whitehouse.gov/ (i.e. a secure web connection) and your browser is any good at all, it will warn you:

You attempted to reach www.whitehouse.gov, but instead you actually reached a server identifying itself as a248.e.akamai.net. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of www.whitehouse.gov.
Looks like the White House is using Akamai Edgesuite to handle their traffic - which must be substantial - but someone has misconfigured their Secure Sockets Layer (SSL) setup. The Akamai load-balancing server a248e.akamai.net should normally know that the Internet address (IP) 69.22.158.X means that the user is trying to connect to www.whitehouse.gov, and therefore it should give the user a copy of the digital certificate showing that it is allowed to serve requests for www.whitehouse.gov; unfortunately, it doesn't yet seem to have that information.

While I'm here, I note that the White House is acutely aware how difficult people find it to spell President Obama's name correctly, as evidenced by the "keywords" list on the site's home page:

"President,Barack Obama,White House,United States of America,44th President,White House history,President Obama,Barck,Barek,Barak,Barrack,Barrak,Obma,Barack"

If the White House IT team is reading this blog - please fix this. Go talk to Akamai, they can tell you how to generate the right certificate with appropriate settings and get it installed on their servers. While you're listening, stop sticking UTF-8 encoded characters on your page when perfectly valid HTML entities exist.

No comments:

Post a Comment

All comments are subject to retrospective moderation. I will only reject spam, gratuitous abuse, and wilful stupidity.