[0xbadcafebee]

> Users on civilian network can continue downloads through the Advance tab in the error message.

They are literally telling users to click through the browser errors about the bad cert. They don't mention that there is a very specific error they should be looking for (expired cert). This gives any MITMer the opportunity right now to replace downloaded executables with malware-laden ones using nothing more than a self-signed cert and a proxy. You can bet your boots China, NK, Iran, Russia are all having a good laugh. Biggest military in the world and they can't get a web server working.

[RIMR]

Oh wow, they really are telling people to bypass the cert warning! It's a shame that the average layperson won't understand how breathtakingly stupid this is, because more people need to be paying attention to the staggering incompetence of the US military under this administration.

[mpyne]

Honestly this isn't even the first time this kind of advice has been given to non-DoD users needing to access a DoD service over commercial means.

The Navy a few years back were experimenting with letting users check basic HR things in their service record (e.g. to request days off) and despite the leadership's stated intent being for Sailors to be able to do this on their actual personal mobile devices, the IT people duly signed all the relevant server certs under the DoD PKI "because policy forces us to", and then cooked up user training guides that patiently explained to Sailors how to bypass security warnings in their browser.

So if nothing else at least there's experience to go by here, ha.