Can anyone get through to the USNO website?

General discussion and chat (archived)
User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2407
Joined: 2012-06-28, 01:20

Can anyone get through to the USNO website?

Post by ron_1 » 2019-01-05, 23:02

I put this in general discussion because there is no way this can be a Pale Moon problem. For months, I cannot access the USNO website. I've tried in addition to Pale Moon, Basilisk, Firefox, and IE. None of them connect. In PM I get the message:

http://www.usno.navy.mil uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
(Error code: SEC_ERROR_UNKNOWN_ISSUER)

Can anyone get through to this site? I find it just shocking (should I?) that a government website doesn't know how to configure it properly. And please, don't bring politics into this, it is not due to the government shutdown, this problem has been going on (for me at least) for months.

coffeebreak
Moon Magic practitioner
Moon Magic practitioner
Posts: 2607
Joined: 2015-09-26, 04:51
Location: U.S.

Re: Can anyone get through to the USNO website?

Post by coffeebreak » 2019-01-05, 23:37

Same here.

Qualys report.

Michaell
Fanatic
Fanatic
Posts: 151
Joined: 2018-05-26, 18:13

Re: Can anyone get through to the USNO website?

Post by Michaell » 2019-01-05, 23:41

Have you tried installing the additional needed DoD root certificate? I d/l'ed one of those cert a couple of months ago but no longer have it. That's about all I can recall. I don't remember how I found the certificate download link either. Best I can recall, the certificate installed but I still did not get whatever it was I was originally looking for. But a Microsoft Answers page says:
You can download the DoD Root Certificates from here:
http://citrixapps.hqda.pentagon.mil/
Whether that is the same one I used, I don't know. I do agree it seems strange that you have to take extra steps like this, but I'm sure it has something to do with extra security for military sites even if we don't understand it.
Win10home(1709), PM28.13port

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2407
Joined: 2012-06-28, 01:20

Re: Can anyone get through to the USNO website?

Post by ron_1 » 2019-01-05, 23:46

NotWorthKnowing wrote:
Have you tried installing the additional needed DoD root certificate?
Ironically, I get the same untrusted connection message from that link.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29313
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Can anyone get through to the USNO website?

Post by Moonchild » 2019-01-06, 00:34

helloimustbegoing wrote:
NotWorthKnowing wrote:
Have you tried installing the additional needed DoD root certificate?
Ironically, I get the same untrusted connection message from that link.
Funny, because that's an http link, not https.
(and for me it times out, probably because I'm not in the states...)
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29313
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Can anyone get through to the USNO website?

Post by Moonchild » 2019-01-06, 00:42

NotWorthKnowing wrote:I'm sure it has something to do with extra security for military sites even if we don't understand it.
Actually, all it has to do with is the fact that the root certificate is not part of major browsers' trust stores, and that the intermediate (issuing) certificate of the authority handing out the actual certificates isn't cross-signed with a root that is in the trust store.
Considering the DoD seems to think that adding the root cert to the chain presented to browsers will solve this, I think it has more to do with the DoD not understanding it than us not understanding it ;)
No, having a custom root does not, in any way, improve security.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2407
Joined: 2012-06-28, 01:20

Re: Can anyone get through to the USNO website?

Post by ron_1 » 2019-01-06, 01:14

Moonchild wrote:
Funny, because that's an http link, not https.
Yeah, I noticed that. But when I click on it, it goes to https. Any reason why?

Michaell
Fanatic
Fanatic
Posts: 151
Joined: 2018-05-26, 18:13

Re: Can anyone get through to the USNO website?

Post by Michaell » 2019-01-06, 04:16

Probably because that link was posted in 2009, before everything began forcing https.
Win10home(1709), PM28.13port

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29313
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Can anyone get through to the USNO website?

Post by Moonchild » 2019-01-06, 13:55

NotWorthKnowing wrote:Probably because that link was posted in 2009, before everything began forcing https.
Well now as a result the DoD has a chicken-and-egg problem, then.
You need a root cert to access the site, but the root cert can only be downloaded from an https site which needs that very root cert.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29313
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Can anyone get through to the USNO website?

Post by Moonchild » 2019-01-06, 14:06

USNO
Info
Mail sent.

Site Administrator has been contacted.
A mail has now been sent to the site administrator regarding your questions and/or comments.
Let's hope they get to fixing it soon.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

RJARRRPCGP
Lunatic
Lunatic
Posts: 391
Joined: 2015-06-22, 19:48
Location: USA (North Springfield, Vermont)
Contact:

Re: Can anyone get through to the USNO website?

Post by RJARRRPCGP » 2019-01-06, 18:03

I noticed that you can get a cert error like that, if you use a 32-bit browser on a 64-bit Windows. (IIRC) I did with 32-bit Firefox on Windows 7 64-bit, IIRC.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29313
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Can anyone get through to the USNO website?

Post by Moonchild » 2019-01-06, 19:26

RJARRRPCGP wrote:I noticed that you can get a cert error like that, if you use a 32-bit browser on a 64-bit Windows.
Sorry, but that makes no sense whatsoever. Bitness has no influence on this.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

RJARRRPCGP
Lunatic
Lunatic
Posts: 391
Joined: 2015-06-22, 19:48
Location: USA (North Springfield, Vermont)
Contact:

Re: Can anyone get through to the USNO website?

Post by RJARRRPCGP » 2019-01-06, 19:47

Moonchild wrote:
RJARRRPCGP wrote:I noticed that you can get a cert error like that, if you use a 32-bit browser on a 64-bit Windows.
Sorry, but that makes no sense whatsoever. Bitness has no influence on this.
I had that issue. It looks like certain certificates simply can't be found with a 32-bit browser. I changed the browser to 64-bit and it's like there was never a certificate problem.
On Windows, it looks like the 64-bit version is missing stuff for 32-bit browsers. Why is that? Facepalm.....

User avatar
badnick
Astronaut
Astronaut
Posts: 628
Joined: 2017-03-23, 19:56

Re: Can anyone get through to the USNO website?

Post by badnick » 2019-01-06, 20:26

You can if you add security exception!
Attachments
Screenshot (723).png
Windows 10 pro /64 (version 1809)
PM last/64

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2407
Joined: 2012-06-28, 01:20

Re: Can anyone get through to the USNO website?

Post by ron_1 » 2019-01-06, 21:49

badnick wrote:
You can if you add security exception!
That's always the case. But they should fix the site. I don't want to take a chance connecting to a site the Chinese government might have hacked into.

User avatar
badnick
Astronaut
Astronaut
Posts: 628
Joined: 2017-03-23, 19:56

Re: Can anyone get through to the USNO website?

Post by badnick » 2019-01-07, 05:22

helloimustbegoing wrote: I don't want to take a chance connecting to a site the Chinese government might have hacked into.
I don't think the Chinese government is concerned about this kind of public sites :D
If I live in the US I would be worried about that: https://www.wired.com/2012/03/ff-nsadatacenter/
Windows 10 pro /64 (version 1809)
PM last/64

User avatar
hitokage
Moon lover
Moon lover
Posts: 95
Joined: 2014-05-03, 02:19
Location: Frederick, MD

Re: Can anyone get through to the USNO website?

Post by hitokage » 2019-01-14, 13:11

Moonchild wrote:Considering the DoD seems to think that adding the root cert to the chain presented to browsers will solve this, I think it has more to do with the DoD not understanding it than us not understanding it ;)
No, having a custom root does not, in any way, improve security.
Based on some of my previous work experience I think part of the reason is a hold over from the early days of the internet. Internal DoD computers have these certificates installed as part of their software image, and classified equipment wouldn't be able to verify the cross-signer on a certificate anyway.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29313
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Can anyone get through to the USNO website?

Post by Moonchild » 2019-01-14, 21:31

hitokage wrote: Internal DoD computers have these certificates installed as part of their software image
Oh it absolutely makes sense to have this set up the way they do for an internal infrastructure, but the problem is that part of their infra is accessible to the public, and needs a public-verifiable certificate chain. Also, it won't help for web browsers that do not use a system store but use their own truststore (which is most of them, since relying on a system-provided truststore means vulnerability to malware manipulating a truststore outside of the browser).
hitokage wrote:classified equipment wouldn't be able to verify the cross-signer on a certificate anyway.
If you mean equipment on a non-public network segment, then yes you're correct, but that doesn't matter -- having the issuer cert cross-signed doesn't break the trust chain for what is already installed on the systems as part of the software image, as you said, so those certificates will happily remain accepted by proprietary software in use.
It does, however, provide a public-verifiable trust chain to a different root that is accepted by browsers, which is required for public portals.

I've had a brief back-and-forth with the responsible person for USNO, explaining what needs to happen to fix this (there's actually 4 different ways this can be solved). Hopefully it'll be properly escalated and fixed soon.
The problem is that all DoD websites by policy have been migrated to https without having a publically-accepted cert issuance infrastructure in place, so it goes way beyond just USNO; it affects all DoD public websites.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
hitokage
Moon lover
Moon lover
Posts: 95
Joined: 2014-05-03, 02:19
Location: Frederick, MD

Re: Can anyone get through to the USNO website?

Post by hitokage » 2019-01-16, 18:46

Moonchild wrote:since relying on a system-provided truststore means vulnerability to malware manipulating a truststore outside of the browser).
I did say it was a hold over from the early days of the internet, so mid '90s and Netscape Navigator version 2 and 3.
Moonchild wrote:having the issuer cert cross-signed doesn't break the trust chain for what is already installed on the systems as part of the software image
I think my thought process was going on the line that secure stuff couldn't contact and verify the cross-signer, so they would still be installing certificates. They may also be trying to keep as much to themselves as possible - even for publicly accessible websites. The U.S. DoD did create what became the internet - they may think they should be in the list of trusted CAs.
Moonchild wrote:it goes way beyond just USNO; it affects all DoD public websites.
It has been a problem for a really long time. I seem to recall this coming up before, but it was quite possibly on a different forum as it affects other browsers.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29313
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Can anyone get through to the USNO website?

Post by Moonchild » 2019-01-16, 23:57

hitokage wrote:they may think they should be in the list of trusted CAs.
Then they need to go through the proper channels and get themselves audited as a CA. It's not something that "just happens" or "is just accepted because of reputation or status".
The CA/B forum is a good start for that if they want to go that route. I think though that they might not want to do this as a CA audit requires them to disclose a lot of their internal operations which the DoD is likely not willing to do (since they are going to issue certs for their organization only and not be a public CA). That's why I suggested cross-signing to them: get an accepted issuer/trusted root to sign their intermediate cert and vouch for them as a CA on the public Internet.

In the meantime you can install the root certificates yourself. The USNO Public Affairs Officer indicated the following:
You may also wish to install the most recent U.S. Government Certificate
Authorities. Here's a link to a non-DoD website that can guide you through
the process:

<https://knowledge.digicert.com/solution/SO5198.html>.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

Locked