9
$\begingroup$

Linking to a NASA document as a reference in an answer or a question is at the moment complicated by the fact that they seem to have a bunch of expired security certificates for their websites. I think that makes this on topic here. The issue doesn't show up unless you try to access the sorts of documents that are deeper within the system. Here are two I just ran into:

enter image description here

That one was for their Trajectory Browser page, a very useful tool.

enter image description here

That one was for the Space Settlement Design Study table of contents, a classic document. I have also run into this over the last week for documents hosted at KSC, Johnson, and SSERVI.

I briefly started looking for the place to try to contact someone to alert them to this issue, but gave up after a few minutes. There must be a much more targeted way to contact them about this than the general emails and phone numbers I can find on the websites. I have a feeling I could spend a long time doing it that way and not get to the person who could really do something about this.

I used to look for an alternate source of the information I was after when I ran into this problem with NASA (I have run into the issue repeatedly over the last year). I wasn't sure if it might mean they had been hacked. The notice is pretty extreme, so I decided not to risk it.

Does anyone have a tip for how I might more quickly get to someone who can do something about this problem?

$\endgroup$
13
  • $\begingroup$ Not exactly a typical meta post, but your reasons for posting here are cogent. $\endgroup$
    – called2voyage Mod
    Commented Mar 14, 2017 at 17:16
  • 1
    $\begingroup$ I just sent a message to the webmaster of the trajectory browser service, but that option is not available in many cases. $\endgroup$
    – kim holder
    Commented Mar 14, 2017 at 17:20
  • 2
    $\begingroup$ Expired certificates confirmed. Also applies to sservi.nasa.gov $\endgroup$
    – SE - stop firing the good guys
    Commented Mar 14, 2017 at 17:49
  • $\begingroup$ @Hohmannfan gee, look at that. The whole thing... $\endgroup$
    – kim holder
    Commented Mar 14, 2017 at 18:12
  • $\begingroup$ @Hohmannfan since it was across the whole website, in their case, i called and left a voicemail with the Associate Director of Management. Now it occurs to me maybe i should have taken the opportunity to mention there are a bunch of NASA sites with the same problem. $\endgroup$
    – kim holder
    Commented Mar 14, 2017 at 18:28
  • $\begingroup$ I'm not getting the same errors on those links. Do they appear to be fixed for you? $\endgroup$
    – called2voyage Mod
    Commented Mar 15, 2017 at 15:11
  • $\begingroup$ @called2voyage Yeah, when i click them they still give the same warning. My browser remembers that i bypassed the warning page and takes me to them, but the address bar continues to note they aren't safe. $\endgroup$
    – kim holder
    Commented Mar 15, 2017 at 15:15
  • $\begingroup$ @kimholder Strange, the only one I get it for is sservi.nasa.gov that Hohmannfan mentioned. $\endgroup$
    – called2voyage Mod
    Commented Mar 15, 2017 at 15:21
  • $\begingroup$ @called2voyage yeah, i don't know what to think about that. I tried in Firefox instead of Chrome and it gives me the same warning. Is there such a thing as certificates for geographical areas? I'm going to try posting a question on Information Security. $\endgroup$
    – kim holder
    Commented Mar 15, 2017 at 15:26
  • $\begingroup$ maybe a renewed certificate takes a while to work through the system? $\endgroup$
    – kim holder
    Commented Mar 15, 2017 at 15:27
  • $\begingroup$ I'm voting to close this question as off-topic because it should be on Information Security $\endgroup$
    – kim holder
    Commented Mar 15, 2017 at 15:45
  • 1
    $\begingroup$ @kimholder I say leave it. It is good to have this documented here. $\endgroup$
    – called2voyage Mod
    Commented Mar 15, 2017 at 15:46
  • 1
    $\begingroup$ NASA outsources their IT and it is...problematic. Sounds like it didn't get any better since I left. arstechnica.com/science/2016/08/… $\endgroup$
    – Organic Marble
    Commented Mar 15, 2017 at 20:34

2 Answers 2

Reset to default
3
$\begingroup$

The usual process when wanting to report any security bug, vulnerability or other security related issue is to contact security@xxxx so in this case try [email protected]

This should be connected to the security team who can respond or at least point the communication to the right team (certificate management, website management or whatever.)

$\endgroup$
8
  • $\begingroup$ Thanks Rory. Look at that, it didn't occur to me to ask about this on the InfoSec stack, but a search for 'expired security certificate' didn't show a duplicate there. It's a pretty general question, but perhaps it deserves to be posted there. $\endgroup$
    – kim holder
    Commented Mar 15, 2017 at 15:11
  • $\begingroup$ security.stackexchange.com/q/153961/142021 :P $\endgroup$
    – kim holder
    Commented Mar 15, 2017 at 15:37
  • $\begingroup$ I was going to say you could just have it migrated over - then you'd have the stub here redirecting to a single instance rather than have dupes cross posted. $\endgroup$
    – Rory Alsop Mod
    Commented Mar 15, 2017 at 15:42
  • $\begingroup$ oh... it didn't occur to me since it is meta... $\endgroup$
    – kim holder
    Commented Mar 15, 2017 at 15:44
  • $\begingroup$ Alright, i just closed it as off-topic. $\endgroup$
    – kim holder
    Commented Mar 15, 2017 at 15:46
  • 1
    $\begingroup$ @kimholder Not a mod anymore ;) You voted to close it off topic. $\endgroup$
    – called2voyage Mod
    Commented Mar 15, 2017 at 15:47
  • $\begingroup$ @kimholder If the community agrees to close this, I will happily migrate it. Otherwise, I wouldn't worry too much about cross-site duplicates in this case. $\endgroup$
    – called2voyage Mod
    Commented Mar 15, 2017 at 15:49
  • $\begingroup$ @called2voyage :P well, at the moment i deleted the other question... um, i guess i'll reverse that. $\endgroup$
    – kim holder
    Commented Mar 15, 2017 at 15:50
3
$\begingroup$

I mentioned this as a comment over on the infosec page, but a huge number of NASA sites -- particularly the ones not directly under the control of the various PAOs -- are going to be signed by certificates derived from the NASA Operational Certificate Authority, which emanates from the US Treasury PKI CA, which is cross-certified by the Federal Common Policy CA.

Most browsers by default do not list any of these as a trusted CA, as most public-facing government websites are secured using a commercial CA that is broadly trusted. (Interestingly, there appears to be minimal commonality in various US government website certificate chains. www.nasa.gov uses USERTrust via Gandi, www.congress.gov and www.irs.gov use Entrust, www.ed.gov uses GeoTrust, www.whitehouse.gov uses VeriSign via Symantec.)

Since most of these sites are intended for internal consumption, most intended users will access them using agency- or contractor-issued computers, which have additional CAs added as part of the standard load.

Ultimately, it's up to you if you want to add those CAs to your trusted store, but I very much doubt you will have any luck getting NASA to change the PKI infrastructure that secures literally thousands of internal sites.

$\endgroup$
1
  • 1
    $\begingroup$ I will duly try to add that CA, although i have to admit it is easier to simply ignore the warning, now that i know why it is happening :P But it never occurred to me to think of those pages as internal sites - surely lots of students and such end up at places like the trajectory browser and the settlement study. And SSERVI is a big site. $\endgroup$
    – kim holder
    Commented Mar 17, 2017 at 15:12

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .