[DeepDuh]

I'd say E-Mail signatures. Officials should get a big fat warning sign for E-Mails that contain either no signature or a signature issued by an untrusted party. The private keys to sign mails would also have to be encrypted in a way that infected systems could still not send signed E-Mails. I'm thinking a hardened USB stick with some kind of biometric scanner as the only place to store the key. You'd send a blob of data to that appliance, it waits for your authentication and then it sends the signed version back to the E-Mail client.

[Justsignedup]

That is indeed a good point. However it won't prevent the ideas of hijacking little league sites that your employees may visit which would be maintained by one web designer one day a year, on that employee's home computer, which then goes on to use it as a vector to attack the company.

Yeah. Technology to hack someone is getting better by the minute.

[niels_olson]

What's really sad about this is that many government resources have certificates that the browsers available to their users (i.e., IE 6/7/8) don't trust, so the users are conditioned to blow through the clearest warnings they will ever get.

eg, here's the DoD global phone book (in case I want to email somebody). Server requires CAC token from the client, but the client's browser doesn't trust the server!

https://dod411.chamb.disa.mil/

I don't even know what to call this level of broken, Chomsky-esque?

[mpyne]

Just install the goddamn DoD root certificates and the client browser will work just fine.

I've used approximately zero DoD computers since 2005 that had the SSL CA chain misconfigured for use on DoD websites. It's really not that hard, even my Linux box here works fine.

[niels_olson]

Are you on NMCI? Because I have used approximately zero DoD computers since 1994 that had the SSL CA chain configured properly on delivery.

In my humble experience, installing DoD roots is a journey: there are at least a few dozen and they are constantly being retired and superseded. Meanwhile, to get the DoD root certs, one has to trust A) DNS B) whomever is in charge of access control to the cert servers. Clearly, access control is a major problem for the DoD, that's the whole problem to begin with.

[mpyne]

Yes, NMCI.

But like I said, it works on my home computer too. Google for DISA InstallRoot (or try going here and running through the steps http://iase.disa.mil/pki-pke/getting_started/index.html)

It is true that they go through the intermediate CAs fairly quickly, but the actual root is still at CA-2 from what I can tell.

DNS security is certainly a concern, but not the kind of concern that leads to SSL warning popups unless there's something else screwy going on. But then maybe Chrome is seeing screwy stuff that MSIE doesn't know to check for...

[mpyne]

For DoD it's already a requirement that any emails with URLs or other "clickable links" are digitally signed (possibly this is true for attachments too, I'm not sure).

However this is a policy which is not computer-enforced, which means of course that it's fairly useless in practice.