4

For up to 4 weeks, the US Department of State's Office of Allowances web site has been using a security certificate whose chain of trust only goes to the State Dept's own CA, with no root CA. Browsers put up scary warnings.

aoprals.state.gov cert chain

I imagine tech journalists would put this on their front pages, but they haven't. Am I overly concerned, or should I be shouting louder about this? I don't know what the Office of Allowances does.

Update: thanks for the great explanations, deploying their own root cert internally makes sense for some purposes.

Improve this question
6
  • "Shouting louder" for what reason? Do you think there was a security breach? It sounds like an admin oversight, nothing more. And no, some stupid error of some unimportand office of who-knows-what is not a good topic for front pages.
    – deviantfan
    Commented Jul 30, 2018 at 21:35
  • 3
    Btw., apparently this office isn't even meant for the public, just for some government employees. They might have the CA installed => no problem at all.
    – deviantfan
    Commented Jul 30, 2018 at 21:38
  • 1
    Why close vote? Question about SSL certificate config seems perfectly on-topic.
    – Mike Ounsworth
    Commented Jul 30, 2018 at 21:46
  • It is a public web page, accessible via links from the state department home page. This office's page does appear to be anomalous; the other offices have pages served from www.state.gov with the GeoTrust signed cert, whereas this office has a page served from aoprals.state.gov. If this were a web page for my business I would the nice green lock icon on every page.
    – hft
    Commented Jul 30, 2018 at 21:46
  • 4
    This is by design and not a security issue. Go check all DoD sites not intended for public consumption. They all use DoD's own root CA. This is because the US Government has its own security requirements that conflict with CA/B WebTrust requirements, hence their own PKI. If you want security, then you must acquire the proper root CAs and install them.
    – user71659
    Commented Jul 30, 2018 at 21:55

3 Answers 3

Reset to default
1

Am I overly concerned, or should I be shouting louder about this?

You don't have to shout...

As opposed to the statements made in the comments and other answers, it does not look to me like that page is only for employees. The page in question appears to be an informational page that is accessible to the public. For example, it can be accessed by starting from the www.state.gov homepage and mousing-over the "About" drop-down, then clicking the "Rule and Info Collection" link, then clicking the small "Bureau of Administration" link, and then clicking "Office of Allowances."

The other offices listed on the Bureau of Administration page appear to have their info sites served from www.state.gov (which has a cert signed by GeoTrust), whereas the Office of allowances is served from aoprals.state.gov and the cert is not signed by a common trusted CA.

Improve this answer
4

You should not be shouting about this at all, it's (probably) totally fine.

This does look a bit odd, possibly a misconfiguration, but it depends who the target audience of that web page is.

  • Option 1 "bad cert") This site is meant to be consumed by the general public and should have a publicly-trusted certificate.
  • Option 2 "should be firewalled") This site is meant to be consumed by members of that department and should probably be behind a firewall (ie not accessible to the internet)
  • Option 3 "working as intended") This site is meant to be consumed by members of other government departments, so is meant to be internet-facing, but only consumed by people with the government's root certs installed in their browsers. (ie they really don't care whether you trust their site or not because you are not the target audience).

A quick look at the web page looks like it's meant to be accessed by government employees abroad who work for various departments, which sounds a lot like Option 3 "working as intended":

The office compiles statistics of living costs abroad, quarters allowances, hardship differentials, and danger pay allowances and computes the established allowances to compensate U.S. Government civilian employees for costs and hardships related to assignments abroad.

Improve this answer
2

Some browsers do not include the US FPKI or affiliates in their root trust stores. Mozilla, for example, has refused to add it to Firefox and has strict policies regarding the addition of certain government CAs. Still, some government websites still use the FPKI, despite its lack of support. This is not a major problem, but it does mean that you will have to manually verify the fingerprint if you want to determine the authenticity of the website you are connecting to.

Improve this answer
2
  • Interesting. Maybe I'm missing something, but why would citizens of another country want to trust a CA run by a nation-state? Does the US FPKI follow all the WebTrust and CAB rules?
    – Mike Ounsworth
    Commented Jul 31, 2018 at 11:48
  • @MikeOunsworth I don't know. You are likely trusting the Government of Hong Kong right now, but to know the exact reason, you'd have to look at the actual request said government made to be included into various browsers' trust stores. This link has some discussion.
    – forest
    Commented Aug 5, 2018 at 4:15

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .