Even DHS Blindly Accepts Invalid SSL Certificates

Via Forbes:

On page 37, DHS instructs analysts to accept invalid SSL certificates forever without verification. Although invalid SSL warnings often appear in benign situations, they can also signal a man-in-the-middle attack. Not a good practice for the security conscience.

I think that’s grounds for termination by incompetence for whomever was behind that. DHS Phishing attack anyone? I’d expect better practices from a local library branch.

That said, it’s yet more proof that SSL as a form of identity verification just doesn’t work.

Mozilla Open Source Security

DHS helping to secure open-source software

CNet News is reporting that Homeland Security is sponsoring an effort to secure open source software. According to the article:

In the effort, which the government agency calls the “Vulnerability Discovery and Remediation, Open Source Hardening Project,” Stanford and Coverity will build and maintain a system that does daily scans of code contributed to popular open-source projects. The automated system should be running by March, and the resulting database of bugs will be accessible to developers, they said.

And yes Firefox is listed as one of the projects to be scanned. Thunderbird unfortunately isn’t listed, which personally I think would be a good candidate for this project considering mail clients have been used quite a bit as a point of entry. Since it shares common code with Firefox it still gets some benefit. It says the “resulting database” will be accessible, but I don’t know if that means they will file in bugzilla, or host their own database which developers need to visit and harvest from.

Personally I think this is great. Getting open source projects an audit like this will enhance security online, so end users will benefit. Hopefully things work out well, and they expand to cover more projects over time.

A criticism of the project is that this only funds finding bugs, rather than fixing them. This isn’t likely to be as large of a problem for Firefox as there are paid staff working on the project. Perhaps bounties will be put out by third parties? Who knows. Hopefully in the end, these products become better.