The CIA Solves a Non-Existent Problem

by on November 29, 2006 · 18 comments

This is odd. Apparently, the CIA has recently decided that access to its entire website will henceforth be encrypted using SSL–the encryption standard used by websites accepting your credit card number.

They say this ensures that no one is able to impersonate the CIA website, but that doesn’t make a whole lot of sense. I can’t imagine why anyone would want to impersonate the CIA’s public website. And if they did, SSL is only an effective deterrent if the user manually examines the site certificate, which doesn’t seem very likely.

The other claimed benefit is to prevent eavesdropping on (or tampering with) peoples’ browsing. But that doesn’t make sense either. An eavesdropper could still see the URLs being visited by a user. And since most of the site is publicly available, static content, encrypting it is kind of pointless. It’s certainly good to encrypt personal information submitted by users, but the site was already doing that before this announcement.

Technologically-challenged institutions have an unfortunate habit of judging security using bulleted lists. Throwing more encryption at something doesn’t make it more secure. You have to think about who your attacker is and what he’s likely to be after before you start looking for solutions. In this case, it’s not clear there’s any attacker at all. As far as I can see, no one is trying to spoof the CIA’s public website or eavesdrop on people visiting it. So adding SSL is a solution in search of a problem.

Previous post:

Next post: