http://tlf.disqus.com/The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.enThu, 30 Nov 2006 11:23:38 -0000http://techliberation.com/2006/11/29/the-cia-solves-a-non-existent-problem/#comment-1448800Yeah, I seriously doubt that field agents receive sensitive information from CIA.gov. There are more secure, less obvious ways to disseminate information if the agent's computer can be counted on to run a client-side app (and obviously there are a lot of reasons why an agent would only use a secured agency computer for that sort of thing -- keyloggers and tampering with the certificate authorities being just two).<br><br>I suspect this is born of the CIA being used as a pretext for some phishing scams. This approach is pretty much all they can do about it: turn on SSL and issue a press release telling the public to look for the little lock in their browser whenever they think they're visiting cia.gov.tomThu, 30 Nov 2006 11:23:38 -0000http://techliberation.com/2006/11/29/the-cia-solves-a-non-existent-problem/#comment-1448802But if an agent's Internet connection were under surveillance, just visiting the CIA's website regularly would be enough to arouse suspicion, wouldn't it? I would think it would make more sense to create a totally separate front site--a travel blog, say--and add SSL to that.Tim LeeThu, 30 Nov 2006 10:15:34 -0000http://techliberation.com/2006/11/29/the-cia-solves-a-non-existent-problem/#comment-1448807Chuck: That's a good point. I was thinking about a case where someone tricked a user into going to another domain purporting to be the CIA's website, such as <a href="http://cia.com" rel="nofollow">cia.com</a>. But I guess this does provide some protections against DNS hijacking.<br><br>Also, if I hijacked your DNS to misdirect you to a bogus CIA website, couldn't I just opt not to wrap the connection in SSL at all? The user would, at a minimum, need to be looking for the little lock icon to verify that the connection was encrypted.<br><br>In any event, it's not clear to me why anyone would want to hijack the CIA's website.Tim LeeThu, 30 Nov 2006 09:32:55 -0000http://techliberation.com/2006/11/29/the-cia-solves-a-non-existent-problem/#comment-1448806Also, if someone hijacks my provider's DNS server and resolves cia.gov to a different IP address, TLS/SSL will inform me of the signature mismatch, so you're wrong here as well.chuckThu, 30 Nov 2006 09:08:19 -0000http://techliberation.com/2006/11/29/the-cia-solves-a-non-existent-problem/#comment-1448805Also, if someones hijacks my DNS and resolves cia.gov to a different IP address, TLS/SSL will inform me of the signature mismatch, so you're wrong here as well.chuckThu, 30 Nov 2006 09:07:56 -0000http://techliberation.com/2006/11/29/the-cia-solves-a-non-existent-problem/#comment-1448804Thanks for the correction!TimThu, 30 Nov 2006 08:10:12 -0000http://techliberation.com/2006/11/29/the-cia-solves-a-non-existent-problem/#comment-1448799Actually, an eavesdropper could only tell that you had an SSL connection open with a certain IP address. They could certainly trace the IP to the CIA, but they couldn't tell which URLs you were looking at (the bit of the HTTP request that requests the URL is encrypted within the SSL tunnel).<br><br>So this does add a layer of 'Anonymity' that wasn't there before. Of course, the CIA can still tell what you're looking at :-)<br><br>Still, it's an odd direction for the CIA to take.AdamThu, 30 Nov 2006 07:59:40 -0000