Folks, the reason you get a certificate error is because this .mil site uses a certificate signed by the DoD CAs and none of the major OS/browsers ship with them pre-installed (for what should be obvious reasons).
Out of curiosity, what are those obvious reasons? Is it because the US military is less trustworthy than other US government institutions or, say, Chinese and Turkish government CAs?
Edit: To make this clear, I'm not interested in a spurious political debate, I'm really just interested in the reasons / who decided this e.g. for my browser Firefox on the basis of what reasons.
Other than reasons like others mentioned: security and/or not following public CA guidelines, there are also other government sites with invalid TLS certificates due to incompetence. I.E. https://www.12306.cn, the TLS cert is valid and signed by DigiCert but the common name field was not matching the domain the site is serving. ¯\_(ツ)_/¯ Also, I recalled they would asked you to download their own root cert to during the checkout process. This is a high-speed rail ticketing site being used by billions of people every year. Go figure.
I would like to add some constructive conversation instead of banter about the cert...how does this get around malware/rootkit software that is embedded in the mobo or bios. How is this really any different than a LiveCD of Kali Linux or something?
I see that it is read-only media so I suppose that helps, but in the end its still only as secure as the machine that you run it from.
"TENS differs from traditional operating systems in that it isn't continually patched"
Uh-oh. They argue that this is not an issue since the drive is read only, preventing any persistence of malware between sessions. However, this still means that there are known and fixable holes in the system which are exposed in using TENS; just because the malware goes away when you reboot, doesn't make it ok to allow malware in in the first place.
Also, what about literally any hardware security threats, like physical keyloggers or any evil low level software (bios, eufi, etc)
They have a DoD accreditation for their software (EW) but not their bootable media. Therefore, if you govvies run this on your government systems, you'll get your hand slapped and theres no guarantee it won't flag your system.
No you don't. At least not even on old IE 11, and I can't imagine any other browser doing it worse (and I know Firefox). The browser is supposed to allow you to access the site my just confirming that you want. No root certificates.
Its a partial fact. Unless you put principal in picture, appreciation figure along is of no use. And in case of sanjose housing, the ratio is not that impressive
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
[+] [-] jlgaddis|8 years ago|reply
[+] [-] jonathanstrange|8 years ago|reply
Edit: To make this clear, I'm not interested in a spurious political debate, I'm really just interested in the reasons / who decided this e.g. for my browser Firefox on the basis of what reasons.
[+] [-] devy|8 years ago|reply
[+] [-] ShorsHammer|8 years ago|reply
https://iase.disa.mil/pki-pke/Pages/tools.aspx
*under Trust Store
[+] [-] skissane|8 years ago|reply
[+] [-] emmelaich|8 years ago|reply
[+] [-] ruffyen|8 years ago|reply
I see that it is read-only media so I suppose that helps, but in the end its still only as secure as the machine that you run it from.
[+] [-] matthberg|8 years ago|reply
Uh-oh. They argue that this is not an issue since the drive is read only, preventing any persistence of malware between sessions. However, this still means that there are known and fixable holes in the system which are exposed in using TENS; just because the malware goes away when you reboot, doesn't make it ok to allow malware in in the first place.
Also, what about literally any hardware security threats, like physical keyloggers or any evil low level software (bios, eufi, etc)
[+] [-] luka-birsa|8 years ago|reply
[+] [-] jlgaddis|8 years ago|reply
It's not the worst option out there, but it's far from a "general purpose" Linux LiveCD.
[+] [-] jalical|8 years ago|reply
[+] [-] Detry322|8 years ago|reply
[+] [-] acqq|8 years ago|reply
[+] [-] quantized1|8 years ago|reply
[+] [-] VvR-Ox|8 years ago|reply
[+] [-] lasermike026|8 years ago|reply
[+] [-] lmlsna|8 years ago|reply
[+] [-] DeepYogurt|8 years ago|reply
The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported.
Error code: SEC_ERROR_UNKNOWN_ISSUER
----
Neat