SSL Amusement
nevrast:~ trythil$ wget https://www.netc.navy.mil/naswf/tower/tower.cfm --2009-04-13 14:18:19-- https://www.netc.navy.mil/naswf/tower/tower.cfm Resolving www.netc.navy.mil... 206.37.214.144 Connecting to www.netc.navy.mil|206.37.214.144|:443... connected. ERROR: cannot verify www.netc.navy.mil's certificate, issued by `/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-13': Unable to locally verify the issuer's authority. To connect to www.netc.navy.mil insecurely, use `--no-check-certificate'. Unable to establish SSL connection.
www.netc.navy.mil uses an SSL certificate signed by “U.S. Government” (organization or “O”), which is part of the “DoD” (organizational unit or “OU”). It’s not on any publicly, widely distributed default list of “trusted” certificate authorities, and the “U.S. Government” signer has no trusted signing authority anywhere in its certificate chain. The short version: there’s no way to automatically verify who owns the machine I connected to.
When faced with manual verification, humans generally accept the validity of an SSL certificate. Sometimes this is because the user agent software doesn’t provide enough information to perform manual validation (i.e. Mobile Internet Explorer, which won’t show you any SSL certificate information), but most of the time it’s just because people are lazy.
With a little bit of DNS hijacking, anyone could claim to be “U.S. Government”, and just about everyone would fall for it. What you could do with a hijacked site like this is left as an exercise for the reader. (One possibility: Federal and state tax deadlines are coming up.)
The amusing bit here (to me, anyway) is that this site gives a reason to expect a certificate signed by “U.S. Government”, as a (supposedly) legitimate site under the purview of an organization in the real United States government (i.e. the Navy) uses it. Without such sites it’d be a lot easier to immediately dismiss such certificates as bogus.