I was going to write about the absurdity of www.dhs.gov.  But, that's pretty much been covered many times and I doubt I'd say anything new.  However, while browsing the site, I found a link to www.safteyact.gov which helps companies that make “anti-terrorism” products.  Of course, it's so broad that it could apply to almost anything if you have a shred of creativity.  Hmm, maybe I'll submit our Obfuscator and see if that qualifies.

At any rate, the interesting thing on www.safteyact.gov is that you are immediately redirected to use HTTPS (After some text saying “You are about to be redirected to a secure site”).

Now, why do you suppose they do that?  The site just sends down rather public information.  Anyone can go get it.  There's no sensitive data in transit.  My theory is that some... special... person thought that since the site is remotely related to actual security, why, by golly, they should be using SSL!  Otherwise hackers can get in.  Or terrorists.  Or something like that.

Sounds like the DHS (and its vile child, the TSA) so far.  But then, what's this?  SSL errors.  Revocation list not available.  Ok.  And then we get the nice message that this site's SSL certificate was signed by “DHS Test CA1”.  Yep, that's right ladies and gentlemen, they pulled a cert out of their hats.

This pretty much summarizes U.S. government security.  “We're clueless, but we're gonna do *something*.  That something doesn't have to make any sense, or even be implemented correctly.”

Yes, I know there are some smart people working in the U.S. government.  (At least one is an MVP!)  And the site actually loads, so someone, somewhere, even if it's a subcontractor, has enough sense to figure out how to press a power button and save files.  My guess is that whoever made this site wasn't a moron, but had a conversation like this:

“Hey, web designer, we've got a security exploit.“

“I'm not a web designer.  I'm a server admin. And what exploit are you talking about?“

“Whatever, you work on the Internet.  Our site isn't secure.“

“Yes it is, we've got a firewalls configured correctly, patches, monitoring, and the passwords are managed--“

“But I don't see a lock thingy in the Internet!“

“Right, the lock icon won't appear in your browser since we don't use SSL,  Secure Sockets Layer.  We don't need to because we're not transmitting sensitive information.“

“I don't care!  I wanna see a lock icon thingy 'cause that means our site is secure, right?”

“Well actually, it means that data in transit is encrypted and--”

“Exactly!  Encryption means it's secure.  You should know this.  So, when will we have the lock icon thingy?“

“... Can you stand up sir?  I need to get a certificate.”