2019-12-06-Google-Search-Is-Broken EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 August 22, 2008 M-08-23 MEMORANDUM FOR CHIEF INFORMATION OFFICERS FROM: Karen Evans, Administrator, Office of E-Government and Information Technology SUBJECT: Securing the Federal Government’s Domain Name System Infrastructure (Submission of Draft Agency Plans Due by September 5, 2008) The efficient and effective use of our networks is important to promote a more citizen centered and results oriented government. The Government’s reliance on the Internet to disseminate and provide access to information has increased significantly over the years, as have the risks associated with potential unauthorized use, compromise, and loss of the .gov domain space. Almost every instance of network communication begins with a request to the Domain Name System (DNS) to resolve a human readable name for a network resource (e.g., www.usa.gov) into the technical information (e.g., Internet Protocol address) necessary to actually access the remote resource. This memorandum describes existing and new policies for deploying Domain Name System Security (DNSSEC) to all Federal information systems by December 2009. DNSSEC provides cryptographic protections to DNS communication exchanges, thereby removing threats of DNS-based attacks and improving the overall integrity and authenticity of information processed over the Internet. … Recaps from M-15-13, June 8, 2016: • Agencies must make all existing websites and services accessible through a secure connection(15) (HTTPS-only, with HSTS) by December 31, 2016. The unencrypted HTTP protocol does not protect data from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data. The majority of Federal websites use HTTP as the primary protocol to communicate over the public internet. Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services. Data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information. COMMENT: From the above we can see that the U.S. Government along with Google, and most of the world have abandoned HTTP for HTTPS. I believe most, if not all of the security problems with HTTP do not come from HTTP but from the Domain Name Service (DNS) which looks up the domain name and returns the IP address so the connection can be made. The DNS can be considered to be a phone book for the internet. With phones being landlines, Plain Old Telephone Service (POTS), the phone companies made phone books so their service could be used. With cell phones, there are no phone books. One has to gather the numbers they need and put them into their own phone book. The new thing is DoH (DNS over HTTPS) which is supposed to secure DNS. When Google, or some other entity decides to shut down the internet, all they have to do is turn off DNS and all of the domain names will go nowhere! Using HTTP with an IP address (http://xxx.xxx.xxx.xxx/ where xxx is a number between 0 - 255) will still work because IP addresses are basically hard wired! I have never used a domain name on any of my websites. https://www.ietf.org/rfc/rfc3986.txt Uniform Resource Identifier (URI) https://www.ietforg/rfc/rfc3987.txt Internationalized Resource Identifiers (IRIs) IPv4 address = dec-octet “.” dec-octet “.” dec-octet “.” dec-octet rfc3986-3.2.2 Host (Page 17) The host subcomponent of authority is identified by: an IP literal encapsulated within square brackets, an IPv4 address, or a registered name. From: TCP/IP Network Administration by Craig Hunt, C 1992, O’Reilly & Associates, Inc., (First Edition: 08/1992, Minor corrections: 03/1993, 09/1993, 01/1994, 05/1994) ISBN: 0-937175-82-X, pages 51-52. Every network interface attached to a TCP/IP network is identified by a unique 32-bit IP address. A name (called a host name) can be assigned to any device that has an IP address. Names are assigned to devices because, compared to numeric Internet addresses, names are easier to remember and type correctly. The network software doesn’t require names, but they do make it easier to use the network. In most cases, host names and numeric addresses can be used interchangeably. A user wishing to telnet to the workstation at IP address 128.66.12.2 can enter: % telnet 128.66.12.2 or use the host name associated with that address and enter the equivalent command: % telnet peanut.nuts.com (page xix: %, # When we demonstrate commands that you would give interactively, we normally use the default C shell prompt (%). If the command must be executed as root, we use the default superuser prompt (#). Because the examples may include multiple systems on a network, the prompt may be preceded by the name of the system on which the command was given.) Whether a command is entered with an address or a host name, the network connection always takes place based on the IP address. The system converts the host name to an address before the network connection is made. … For translating names into addresses, the newer technique uses a distributed database system called Domain Name Service (DNS) to translate names to addresses. Back in 2005 I made a test website with only an IP address. At that time, I would see the GoogleBot in my logs about every week and a half. In the many months that I ran the website, I only saw the MicrosoftBot twice. In less than a month, I had a call from a guy in Ohio. He had typed “missile base” into Google Search and my site was the first one that popped up! I had done nothing to let anyone know that my site existed. In the 1960s to early 1970s Green River, Utah, USA was the “Green River Launch Complex for the White Sands, New Mexico, Missile Base.” http://162.250.19.7/ac0xl/www/2005-museumarchives/ For over four months I have been running another website, using a Raspberry Pi 3B connected to a 1TB hard disk drive with no microSD card, http://162.250.19.7/. In all of this time, I have never seen the GoogleBot in my logs! I also have done Google Searches for “ac0xl,” my ham radio call sign, and only see results from several years ago! I have never used www.kkbox.com so those entries belong to someone else. https://www.sitemaps.org/index.html is a new (2008, 2016) program search engines (Google) are using to list what is on the Internet. With a 1Gb (one giga-bit) connection all of the IPv4 addresses can be accessed in 45 minutes. With a 10Gb (10 giga-bit) connection that time can be reduced to 4.5 minutes! Google Search’s Artificial Intelligence (AI) is VAPORWARE! It is actually thousands of people from the Anti-Defamation League (ADL) and the Southern Poverty Law Center (SPLC) (https://www.splcenter.org/), manually processing sites for Hate and Extremism groups, extremist organizations, social justice, political correctness, and hate speech. They basically are processing a static database, because they can not keep up with the amount of changes the GoogleBot puts into the database. The search organizations have turned off their web crawlers and are relying on others to do the job. I found it very interesting that the ADL and SPLC want to take control of Google, FaceBook, Twitter, YouTube, and other social sites and employ more of their people to ban all of the users they don’t like! Their actions sounded a lot like those of Hunter Biden’s actions against the woman who bore his love child! John 10:10 The thief comes only in order to steal, kill, and destroy; I have come so that they may have life, life in its fullest measure. (Complete Jewish Bible). * EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 June 8, 2015 M-15-13 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES FROM: Tony Scott, Federal Chief Information Officer SUBJECT: Policy to Require Secure Connections across Federal Websites and Web Services This Memorandum requires that all publicly accessible Federal websites and web services (1) only provide service through a secure connection. The strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS). This Memorandum expands upon the material in prior Office of Management and Budget (OMB) guidance found in M-05-04 (2) and relates to material in M-08-23 (3). It provides guidance to agencies for making the transition to HTTPS and a deadline by which agencies must be in compliance. Background The unencrypted HTTP protocol does not protect data from interception or alteration, which can subject users to eavesdropping, tracking, and the modification of received data. The majority of Federal websites use HTTP as the primary protocol to communicate over the public internet. Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services. Data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information. (1) Publicly-accessible websites and services are defined here as online resources and services available over HTTP or HTTPS over the public internet that are maintained in whole or in part by the Federal Government and operated by an agency, contractor, or other organization on behalf of the agency. They present government information or provide services to the public or a specific user group and support the performance of an agency's mission. This definition includes all web interactions, whether a visitor is logged-in or anonymous. (2) https://www.whitehouse.gov/sites/default/files/omb/memoranda/fv2005/m05-04.pdf "Policies for Federal Agency Public Websites" (3)https://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf "Securing the Federal Government's Domain Name System Infrastructure." Page -1- To address these concerns, many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of Federal websites and services deserve the same protection. Private and secure connections are becoming the Internet's baseline, as expressed by the policies of the Internet's standards bodies (4), popular web browsers, and the Internet community of practice. The Federal government must adapt to this changing landscape, and benefits by beginning the conversion now. Proactive investment at the Federal level will support faster internet-wide adoption and promote better privacy standards for the entire browsing public. All browsing activity should be considered private and sensitive. An HTTPS-Only standard will eliminate inconsistent, subjective determinations across agencies regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide. Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and may reduce their confidence in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. An HTTPS-only mandate will provide the public with a consistent, private browsing experience and position the Federal Government as a leader in Internet security. What HTTPS Does HTTPS verifies the identity of a website or web service for a connecting client, and encrypts nearly all information sent between the website or service and the user. Protected information includes cookies, user agent details, URL paths, form submissions, and query string parameters. HTTPS is designed to prevent this information from being read or changed while in transit. HTTPS is a combination of HTTP and Transport Layer Security (TLS). TLS is a network protocol that establishes an encrypted connection to an authenticated peer over an untrusted network. Browsers and other HTTPS clients are configured to trust a set of certificate authorities (5) that can issue cryptographically signed certificates on behalf of web service owners. These certificates communicate to the client that the web service host demonstrated ownership of the domain to the certificate authority at the time of certificate issuance. This prevents unknown or untrusted websites from masquerading as a Federal website or service. (4) https://w3ctag.github.io/web-https "The World Wide Web Consortium (W3C)" https://www.internetsociety.org/news/internet-society-commends-internet-architecture-board-recommendation-encryption-defauIt "Internet Society" (5) In the context of HTTPS on the web, a certificate authority is a third party organization or company trusted by browsers and operating systems to issue digital certificates on behalf of domain owners. Page -2- What HTTPS Doesn't Do HTTPS has several important limitations. IP addresses and destination domain names are not encrypted during communication. Even encrypted traffic can reveal some information indirectly, such as time spent on site, or the size of requested resources or submitted information. HTTPS-only guarantees the integrity of the connection between two systems, not the systems themselves. It is not designed to protect a web server from being hacked or compromised, or to prevent the web service from exposing user information during its normal operation. Similarly, if a user's system is compromised by an attacker, that system can be altered so that its future HTTPS connections are under the attacker's control. The guarantees of HTTPS may also be weakened or eliminated by compromised or malicious certificate authorities. Challenges and Considerations Site Performance: While encryption adds some computational overhead, modern software and hardware can handle this overhead without substantial deleterious impact on server performance or latency (6). Websites with content delivery networks or server software that supports the SPDY or HTTP/2 protocols, which require HTTPS in some major browsers, may find their site performance substantially improved as a result of migrating to HTTPS. Server Name Indication: The Server Name Indication extension to TLS allows for more efficient use of IP addresses when serving multiple domains. However, these technologies are not supported by some legacy clients. (7) Web service owners should evaluate the feasibility of using this technology to improve performance and efficiency. Mixed Content (8): Websites served over HTTPS need to ensure that all external resources (images, scripts, fonts, iframes, etc.) are also loaded over a secure connection. Modern browsers will refuse to load many insecure resources referenced from within a secure website. When migrating existing websites, this can involve a combination of automated and manual effort to update, replace, or remove references to insecure resources. For some websites, this can be the most time consuming aspect of the migration process. APIs and Services (9): Web services that serve primarily non-browser clients, such as web APIs, may require a more gradual and hands-on migration strategy, as not all clients can be expected to be configured for HTTPS connections or to successfully follow redirects. Planning for Change: Protocols and web standards improve regularly, and security vulnerabilities can emerge that require prompt attention. Federal websites and services should deploy HTTPS in a manner that allows for rapid updates to certificates, cipher choices. (6) https://istlsfastyet.com/ (7) https://https.cio.gov/sni “Server Name Identification" (8) https://https.cio.gov/mixed-content “Mixed Content" (9) https://https.cio.gov/apis “Migrating APIs" Page -3- (including forward secrecy(10) ) protocol versions, and other configuration elements. Agencies should monitor https://https.cio.gov and other public resources(11) to keep apprised of current best practices. Strict Transport Security: Websites and services available over HTTPS must enable HTTP Strict Transport Security (HSTS) (12) to instruct compliant browsers to assume HTTPS going forward. This reduces the number of insecure redirects, and protects users against attacks that attempt to downgrade connections to plain HTTP. Once HSTS is in place, domains can be submitted to a "preload list"(13) used by all major browsers to ensure the HSTS policy is in effect at all times. Domain Name System Security (DNSSEC): The new policy outlined in this Memorandum does not rescind or conflict with M-08-23, "Securing the Federal Government's Domain Name System Infrastructure."(14) Once DNS resolution is complete, DNSSEC does not ensure the privacy or integrity of communication between a client and the destination IP. HTTPS provides this additional security. Cost Effective Implementation Implementing an HTTPS-only standard does not come without a cost. A significant number of Federal websites have already deployed HTTPS. The goal of this policy is to increase that adoption. The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time. The development burden will vary substantially based on the size and technical infrastructure of a site. The compliance timeline, outlined in this Memorandum, provides sufficient flexibility for project planning and resource alignment. OMB affirms that tangible benefits to the American public outweigh the cost to the taxpayer. Even a small number of unofficial or malicious websites claiming to be Federal services, or a small amount of eavesdropping on communication with official U.S. government sites could result in substantial losses to citizens. Technical assistance provided at https://HTTPS.cio.gov/ will aid in the cost-effective implementation of this policy. (10) https://https.cio.gov/technical-concepts/#forward-secrecy "Forward Secrecy" (11) https://https.cio.gov/resources "Resources" (12) https://https.cio.gov/hsts "Strict Transport Security" (13) https://hstspreload.appspot.com/ (14)https://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf "Securing the Federal Government's Domain Name System Infrastructure." Page -4- Guidelines In order to promote the efficient and effective deployment of HTTPS, the timeframe for compliance, outlined below, is both reasonable and practical. This Memorandum requires that Federal agencies deploy HTTPS on their domains using the following guidelines. • Newly developed websites and services at all Federal agency domains or subdomains must adhere to this policy upon launch. • For existing websites and services, agencies should prioritize deployment using a risk based analysis. Web services that involve an exchange of personally identifiable information (PII), where the content is unambiguously sensitive in nature, or where the content receives a high-level of traffic should receive priority and migrate as soon as possible. • Agencies must make all existing websites and services accessible through a secure connection(15) (HTTPS-only, with HSTS) by December 31, 2016. • The use of HTTPS is encouraged on intranets(16), but not explicitly required. To monitor agency compliance, a public dashboard has been established at https://pulse.cio.gov/ . Technical Assistance Please visit https://HTTPS.cio.gov/ for technical assistance and best practices to aid in the implementation of this policy. For questions regarding this Memorandum, contact Mary A. Lazzeri in the Office of E-Government and Information and Technology at egov@omb.eop.gov with "HTTPS-Only Standard" as the subject line. (15) Allowing HTTP connections for the sole purpose of redirecting clients to HTTPS connections is acceptable and encouraged. HSTS headers must specify a max-age of at least 1 year. (16) "Intranet" is defined here as a computer network that is not directly reachable over the public internet. Page -5- Links: These links are the easiest and best I have found for sharing the “Good News” I found around my seventh birthday, the Fall of 1955. Frank Anderson, ac0xl. http://4laws.com/laws/languages.html, 4 Spiritual Laws. https://www.cru.org/us/en/train-and-grow/spiritual-growth/the-spirit-filled-life.html, The Spirit Filled Life. https://www.cru.org, Exploring Your Life’s Purpose - Let’s journey together. https://godtoolsapp.com, GodTools - Helping You Share Your Faith. #