How do you tell a website they have expired security certificates?

Question

I often go to more obscure pages on NASA websites, and I have gotten used to running into an expired security certificate now and then. Over the last week, it started coming up a lot more, to the point I decided maybe I should tell them (rather than simply feel annoyed). But after a little looking around, I realized I had no idea how to direct that message within that giant organization to someone who could actually do something about it.

Is there a way for someone to get that message through to the right people?

Three recent examples:

• https://sservi.nasa.gov/

• https://trajbrowser.arc.nasa.gov/

• https://settlement.arc.nasa.gov/75SummerStudy/Table_of_Contents1.html

(Someone else who checked the 2nd and 3rd address said they no longer get the warning, however I still do. The SSERVI site still shows that way for everyone.)

Update: The comment to contact the general address makes a good point in that if you do nothing else, you should do that. However, a lot of time could be saved by directing a message to the right people, and it seemed there could be a way to do that, if one knew a little more. That's why I posted at all, I thought someone might search later, find this, and get these notifications to the right place faster.

Answer 1

In this case, the answer is (sort of) in the certs (which is not that uncommon):

openssl s_client -connect sservi.nasa.gov:443 | openssl x509 -text

<...snip...>
        Authority Information Access: 
            CA Issuers - URI:http://pki.treas.gov/noca_ee_aia.p7c
            CA Issuers - URI:ldap://lc.nasa.gov/ou=NASA%20Operational%20CA,ou=Certification%20Authorities,ou=NASA,o=U.S.%20Government,c=US?cACertificate;binary
            OCSP - URI:http://ocsp.treas.gov

The first link (minus the P7C file) provides a landing page, with a 'contact us': http://pki.treas.gov/contact_us.htm

Another tool (sometimes) worth checking into is whois - but the x509 authority information seems the more appropriate place to check.

Answer 2

Finding the "right people" can be tricky at the best of times. Is it the web developer? The server admins? The network admins? If the pages are obscure, they might be handled by obscure departments with their own structure.

There is no clear answer to this, and you just need to use best efforts. The NASA pages tend to list the owner of the page at the bottom. You might be able to use that to find a direct contact.

Otherwise, a general contact email or a general comment form can work. I've sent reports like the one you want to send to a general inbox for a large organization and it found its way to the right people.

If there isn't an explicit communication method, use the channel that's open.

Answer 3

NASA websites should have a Responsible NASA Official (RNO) listed on the home page for the site. That person probably won't be the webmaster for the site, but should know who to contact to have any issues with a site addressed. In the case of the sservi.nasa.gov, that person's name is listed at the bottom of the page and is Yvonne Pendleton. I won't list her email address here where it might be picked up by spam spiders, but you can visit the NASA Enterprise Directory (NED) and search on her name to find her contact information. The second website you listed also has the name of the RNO listed at the bottom of the homepage and his contact information is available via the NED. The third one doesn't list the RNO, but the RNO is Ruth K. Globus at the Ames Research Center (ARC) and her contact information is also in NED.

But as was pointed out by Tristan in a comment to the question, the issue is that the sites use a certificate issued by the U.S. Treasury as do many NASA sites. Since those are free for NASA websites whereas obtaining a certificate from a commercial source may entail a cost, if the site isn't widely accessed by the general public, then it may have a U.S. Treasury-issued certificate. Of course, if the RNO receives notifications from people outside of NASA that their browsers are reporting certificate issues, perhaps that might lead the RNO to have the webmaster obtain another certificate. It is also possible he or she may not even be aware it is an issue, since NASA personnel accessing the sites from their agency-provided systems at work won't see such warnings, since those systems will trust the U.S. Treasury as a certificate authority (CA).

Answer 4

You can also try emailing [email protected] [email protected] and if it is something bad [email protected]

They don't always work but some services require configuring the last two. (Eg. Google). Google also reads abuse mail to domains they host email for.

Answer 5

Ideally it should be as simple as sending them an email or in-site message if possible. Normally, a lookup of the domain via WHOIS should hopefully be enlightening, although that doesn't always work. One such tool for a WHOIS (and other information) lookup is network-tools.com (example link to results for a sservi.nasa.gov); this shows the whois.arin.net registered information for contact info. When in doubt, most organizations should have a catch-all account, or at least forward accounts from users no longer actively employed, so someone responsible ought to receive such an email. With a larger organization such as NASA, finding someone from another department or team, yet within the same area of concern (e.g.- IT, web, server ops) should be helpful in forwarding such information.

Beyond that, it's best to send them a reference link from a reputable third party source, showing the issue. I would recommend linking to scanned results of the site in question from the Qualys SSL Labs Server testing tool.

For example, here are the results for sservi.nasa.gov. An overall grade is assigned (A, B, C... etc.) with possible exceptions such as this case; a "T" for trusted certificate issues, which is regarded as a "failing" grade. This particular tool iterates all its requirements for ranking and will highlight any severe/critical needs.

If you're looking for a comparison, here's a comparatively strong score for google.com.

This particular tool is relatively well known in web and administration circles and should be a good reference for people who manage a site.