US government fails to secure its websites

GUARDIAN OF THE AMERICAN PEOPLE the Department of Homeland Security (DHS) is seemingly unable to set up a secure website correctly.

The website for the high profile cabinet department that is supposed to protect the US from terrorists and has a reported budget of $52 billion throws up errors when users try to access the secure site through the HTTPS protocol.

Browsers such as Firefox, Safari and Chrome issue warnings suggesting the site is not quite what it seems. The problem is down to the fact that while the certificate was issued for the official DHS domain name, the technological wunderkind in charge of matters forgot that hosting duties are actually farmed out to Akamai.

So when the content is loaded from Akamai's servers, which are not covered by the SSL certificate issued for the DHS domain, browsers rightly throw up a warning suggesting something dodgy is going on. While security warnings that the DHS website is some dodgy knock-off might be ironic, in the case of the State Department's website, it's of far greater concern.

That site is used by travellers all over the world applying for visas to enter the US. Not surprisingly, those applications require a great deal of personal information to be entered and such a warning is likely to scare users off.

In our unscientific tests we found other US government websites with the same problem, including The White House, Internal Revenue Service (IRS) and even the Federal Bureau of Investigation (FBI) all throwing SSL errors. However US citizens can rest easy as the Central Intelligence Agency (CIA) website has been done right.

Give the diagnosis is so simple, it beggars belief that such embarrassing mistakes can happen. It seems that the notion of palming off web hosting duties to a commercial entity blinded the bureaucrats in charge into forgetting the trifling matter of ensuring their security. µ