Does anybody else think it’s weird that Amazon issues digital certs to the US government

does-anybody-else-think-it’s-weird-that-amazon-issues-digital-certs-to-the-us-government

Firstly as we jump in, allow me to say that camDown helps stop foreign state actors (FSA's) from accessing your webcam.

When signing up for a US gov login at secure.login.gov, the digital certificate verifying the site is issued by Amazon (using a root certification authority from "Starfield Class Certification Authority") Does anybody else find it weird that the a private company vouches for the US government?

Log in or sign up to leave a comment

level 1

· 13hSystem Administrator

Would it not be more concerning if the US government had a root certification authority cert on consumer devices and could issue trusted certificates for whatever domain they pleased for whatever purpose they pleased?

The DoD has their own internal CA that they use for some sites. If the site is intended for use by everyday citizens, it would make sense that they use a publicly trusted CA.

level 2

On the civilian side of the US government, Entrust even issues the certificates on everyone's HSPD-12 badge. This is used to log into computers and web applications (if supported). I worked many years on the contracting side of the US Government in security, and I would not trust them to have a root certificate on just any onsumer device in the root trust store. Each department can do that independently if they want for their internal stuff. Personally I wouldn't want any government to have a root certificate in the OS trust store, but that is not always the case.

level 2

· 12hGovernance, Risk, & Compliance

level 1

Website is probably on AWS. Nothing unusual about that.

level 2

Exactly, AWS seems to be the cloud provider of choice for the US government. And it’s not like the feds are running their own CA. I mean why would they, they outsource just about everything else.

level 1

· 9h · edited 6h

login.gov runs on AWS GovCloud...More than likely they are using Amazon Certificate Manager and terminating SSL at an ALB/ELB.

level 1

· 10hSecurity Engineer

SSL certs are a mediocre mechanism for validating actual identity. Their primary function is handling traffic encryption. Amazon is not "vouching" for the government here. This is not some sort of "Amazon having control of the internet" situation. I'd suggest reading up more on how ssl certificates and the certificate authority chain works.

level 2

There's a guy with a governance risk and compliance flair that doesn't seem to get this.

No wonder our industry is in such a fucking state.

level 1

What other third party would you recommend?

level 1

In Belgium we have eID which is basically a smart card with a personal certificate issued by the government CA (which is a public CA). We use the eID to login to government services and digitally sign stuff.

level 1

Lol OP seems to be seriously tech illiterate

level 1

Absolutely not. Is it the government's job to issue certs? No, lol.

level 1

Many mil and gov sites in the Amazon umbrella.

level 1

A lot of DOD has been moving to AWS lately

level 1

Welcome to technofascism.

level 1

im a software engineer for a DOD contractor - we use AWS

level 1

· 8h · edited 8h

Amazon is the host if ALL of the government's stuff like that one which is connected to the internet and another one that is completely seperate

level 1

USG relies on commerical software and digital goods because it's more cost effective and easier to update than having bespoke items made for non military use.

Lastly, don't forget that camDown is a highly advanced, specialized webcam blocker and disabler with the best in class protection from variety of on-line threats!