Dod's Public.cyber.mil Is Using an Untrusted Root Ca

Posted4 months agoActive4 months ago

thom_nic

2 points

3 comments

cyber.milSecuritystory

skepticalnegative

Debate

80/100

Data-PrivacyCertificate AuthorityDepartment of Defense

Key topics

Data-Privacy

Certificate Authority

Department of Defense

Discussion Activity

Light discussion

First comment

N/A

Peak period

0-1h

Avg / period

1.5

Key moments

01Story posted
Aug 25, 2025 at 10:06 AM EDT
4 months ago
Step 01
02First comment
Aug 25, 2025 at 10:06 AM EDT
0s after posting
Step 02
03Peak activity
2 comments in 0-1h
Hottest window of the conversation
Step 03
04Latest activity
Aug 25, 2025 at 12:16 PM EDT
4 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (3 comments)

Showing 3 comments

elmerfud

4 months ago

1 reply

https://usgovpki.apps.deas.ecs.mil/dod/cas-all-simple/index....

I don't know if their change was intentional but the DoD does publish their CAs for use. I also have to say that if you are blindly trusting the CAs that your browser includes to determine the legitimacy, authenticity or security of your data going to the target of your intention, you are in for a very rude awakening when you learn how they work and how most of them issue certificates.

The way most certificates are signed nowadays is only as strong as the DNS hijacking protection they have. Preloaded CAs make for an ease of browsing experience but protection they actually provide is only in the encrypted transit and not much beyond that.

thom_nicAuthor

4 months ago

This is fair, but I would venture to guess 99% of people including software developers and even most IT professionals completely rely on the vendor pre-installed root CAs.

thom_nicAuthor

4 months ago

DOD Cyber Exchange, home of DISA STIGs among other resources, appears to be signed by a root CA "US DoD CCEB Interoperability Root CA 2" which does not appear to be in any browser list of trusted root CAs. This seems to have changed at some point, because public.cyber.mil used to be accessible without any browser warnings. Certificate chain:

    $ gnutls-cli --print-cert public.cyber.mil 443 </dev/null
    Processed 150 CA certificate(s).
    Resolving 'public.cyber.mil:443'...
    Connecting to '23.9.224.83:443'...
    - Certificate type: X.509
    - Got a certificate list of 2 certificates.
    - Certificate[0] info:
     - subject `CN=comm-cyber.mil,OU=DISA,OU=PKI,OU=DoD,O=U.S. Government,C=US', issuer `CN=DOD SW CA-74,OU=PKI,OU=DoD,O=U.S. Government,C=US', serial 0x087ef6, RSA key 2048 bits, signed using RSA-SHA256, activated `2025-08-11 17:51:06 UTC', expires `2026-09-12 17:51:06 UTC', pin-sha256="zqDELcwzXa0DHRYN6o+J5FGm2fSFXYb3O0knmjH3MrE="
            Public Key ID:
                    sha1:2925dac566b06932f1995cc904f1e723e26d6f5d
                    sha256:cea0c42dcc335dad031d160dea8f89e451a6d9f4855d86f73b49279a31f732b1
            Public Key PIN:
                    pin-sha256:zqDELcwzXa0DHRYN6o+J5FGm2fSFXYb3O0knmjH3MrE=


    -----BEGIN CERTIFICATE-----
    ...snip
    -----END CERTIFICATE-----

    - Certificate[1] info:
     - subject `CN=DOD SW CA-74,OU=PKI,OU=DoD,O=U.S. Government,C=US', issuer `CN=DoD Root CA 6,OU=PKI,OU=DoD,O=U.S. Government,C=US', serial 0x4a, RSA key 2048 bits, signed using RSA-SHA384, activated `2023-05-16 16:05:29 UTC', expires `2029-05-15 16:05:29 UTC', pin-sha256="NJVFdvvbhMFMXyUHKDk1RLnMkkY5Qt9eP3Q0Q8QHPUk="

    -----BEGIN CERTIFICATE-----
    ...snip
    -----END CERTIFICATE-----

    - Status: The certificate is NOT trusted. The certificate issuer is unknown. 
    *** PKI verification of server certificate failed...
    *** Fatal error: Error in the certificate.

View full discussion on Hacker News

ID: 45014003Type: storyLast synced: 11/18/2025, 12:05:58 AM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN