Why Budweiser’s ad is a big risk in Trump’s USA.
Odd messages on Web browsers might be due to a simple maintenance problem
Some visitors to the White House website have reported seeing messages that carry scary warnings. A message from Google Chrome warns: “Attackers might be trying to steal your information from messages.whitehouse.gov, for example passwords, messages or credit cards.”
Washington Post staffers ran into similar messages on Microsoft’s Edge browser, Apple’s Safari and Mozilla’s Firefox browser. Some Twitter users experienced the same thing:
“A bit concerned,” @bradhoshawmusic wrote. “When I visited the http:// petitions.whitehouse.gov site, @AVGFree kept warning me of threats. #Paranoia #RussianHackers?”
Seeing that sort of language on your screen doesn’t inspire confidence, to say the least. But, according to cybersecurity professionals, the messages don’t seem to be prompted by an attack. In fact, they are not obviously linked to anything nefarious at all; it’s probably because of a simple maintenance oversight.
The White House did not respond to a request for comment.
Experts told The Post that the messages are appearing because the site’s security certificate — or, very simply put, the thing that verifies that a site is what it says it is — isn’t valid.
It appears that the White House’s equipment is not configured correctly, and the old certificate was revoked or allowed to expire without being replaced, said Kenneth White of the Open Crypto Audit project, a nonprofit organization dedicated to improving cybersecurity. There are perhaps hundreds of pieces of equipment and servers that need to be just right to keep the White House site up and running correctly, he said, so it would be easy to miss something.
“I want to dissuade any notion of this being cloak and dagger, or there being any sort of malicious intent,” White said. “This is almost certainly an innocent mistake.”
So that’s the good news: There’s no indication there was a malicious attack. Nor does it appear to be tied to the recent transition of power at 1600 Pennsylvania Ave. According to White, records indicate that the certificate was revoked by the company that issues certificates in May 2016 — in other words, long before the Trump administration occupied its current offices. (A similar message appeared in 2015 on the same day the Obama administration held a cybersecurity summit.)
White suspects that people are seeing the updates more frequently now because of recent browser updates. Some browsers, including Chrome, have increased their own security measures regarding security certificates. That may explain why not everyone sees the same message, or people only see it in certain browsers.
The bad news is that this means at least parts of the White House’s website — such as messages.whitehouse.gov — aren’t secure at the moment. A valid certificate is a guarantee of trust. Without that, visitors to the site lose their warning that something could be wrong.
“With an invalid certificate, anyone can monitor your traffic, see what you’re reading even if you’re not logging in and see which pages [you’re] spending time on,” said George Avetisov, chief executive of the firm HYPR Biometric Security. He also said that if the most visible parts of the White House’s site aren’t being properly monitored, it raises questions about some of the more technical parts as well. In the meantime, he said, “don’t go to whitehouse.gov until they fix that certificate.”
But Rob Graham, a cybersecurity expert at Errata Security, said that avoiding the site would be a little extreme. “While this may be true in a general sense, I would dispute that in this case,” he said. “Being invalid is not automatically the problem.”
Avestisov said he hopes that an expected cybersecurity executive order from President Trump, which is likely to include provisions to encourage the government to adopt industry-standard security measures, will prevent mistakes like this.
“The root problem in the government,” Avestisov said, “is that they have a lot of legacy systems — there are places in the government that still run Windows XP, even though it’s not supported anymore. There is no unified approach to cybersecurity.”
Experts say a message that some people have seen while viewing the White House website is probably not tied to a cyberattack or the transition of power.