CAAFlog is now accessible over a secure connection at: https://www.caaflog.com

I need your help to test the certificate. Please access the site via HTTPS and let me know (by email to Zack@CAAFlog.com) if you get any sort of warning or error message. Thanks in advance.

This feature is due to Google’s plan to mark regular HTTP connections as insecure.

12 Responses to “CAAFlog by SSL/TLS”

  1. K fischer says:

    no warning using my iPad.

  2. Zachary D Spilman says:

    I’ve received one report of a warning message from an Air Force user on a Government computer. I’m interested in the [update: adverse] experience of other users on Government computers. Thanks.

  3. Lieber says:

    Zachary,
    A fair amount of government users will get a warning and there is nothing you can do about it.  What happens is that most DOD web traffic is fed through a proxy serve that decrypts the traffic so they can read and monitor it.  Thus losing the secure connection.
    (yes this means you shouldn’t do your banking etc on a DOD computer)
    And this raises ethical issues for members of the defense bar using DOD networks but no one has a good answer yet.

  4. Zachary D Spilman says:

    Yes, Lieber, the DoD uses proxy servers that (can) (and definitely do, I think) perform man-in-the-middle (MITM) attacks. But that’s a pretty standard practice in the world of corporate network security. Here, for example, is a marketing data sheet that discusses the Blue Coat visibility appliance

    But MITM only works when its transparent (you don’t see any security warning). So government users won’t get a security warning because of that.

    Rather, government users will (might) (won’t, I hope) get a security warning because I installed a SSL certificate from Let’s Encrypt. I did that because it’s free. The DoD might not trust those certificates (for no good reason, I think, but there’s room for debate) or (more likely) there are some DoD computers that haven’t been updated to trust them. The alternative is to spend a little bit of money (likely around $100/yr) and get a brand name certificate. I probably won’t do that for the same reason I waited this long to enable SSL in the first place.

    As for “ethical issues for members of the defense bar using DOD networks,” there are none. Consent to monitoring isn’t a waiver of the attorney-client privilege (the consent explicitly says that much), and the Government doesn’t need your permission to read your email.

  5. Lieber says:

    That’s a pretty big assumption that all 51 bars have identical opinions on the matter.

  6. Zachary D Spilman says:

    It’s going to be hard for me to prove the negative on this one, Lieber. But the fact that the privilege is unharmed seems dispositive to me. When it comes to a state actor, all communication and storage systems are vulnerable. 

  7. Dew_Process says:

    @ Lieber,
       When the “Consent to Monitoring” Banner became mandatory some years back, it didn’t contain the language it does now that Zach points out, that it is not a waiver of the privilege.  At the time, a number of us got opinions from our respective State Bars which said in essence that we could not use the DoD email/computer systems for privileged communications.  As a result, there was litigation – a couple of MJ’s expressed concerns — and a short-term “fix” was to have the MJ issue a protective order.
     
      As you can imagine, that was virtually unworkable. The NACDL did a study [DISCLAIMER: I was one of the folks who worked on this] and made a pitch to the DoD/GC’s office to change the banner language to clarify that consent to monitoring was not a waiver of any privileges.  Nothing works fast at that level when it comes to defense complaints, but eventually they agreed and changed it. But, you are correct that different States approach the issue differently.
     
      Here’s a LINK to NY’s “best practices” when it comes to email communications which may be informative to anyone with doubts.

  8. Zachary D Spilman says:

    Thank you Dew_Process. I did not know that the privilege language was not in the original consent banner. 

  9. Tami a/k/a Princess Leia says:

    DOD doesn’t even trust its own certificates.  I don’t know how many times I’ve tried accessing Army websites, only to get a message that the certificate isn’t trusted, sometimes not able to get into the website at all.

  10. Gilbert says:

    No problem from Lejeune.

  11. Concerned Defender says:

    As for the HTTPS – no problems on my server/computer. 
    As to the greater issue at hand, the government apparently monitors every key stroke and word spoken over every communication device apparently almost worldwide and surely in the USA.  I’m not sure how a small or even large law firm or entity can truly protect any non face to face communication.  

  12. Lieber says:

    Nah, when it comes to non-government devices there are all sorts of ways to protect it from the government being able to read it.  If the NSA can break modern end-to-end encryption (iMessage, Signal etc.), it’s a secret so closely held that it has no relevance in the law enforcement context. 
    Likewise, if you have a properly configured iPhone 7, Windows computer with Bitlocker or Mac with FileVault (there are many other third party solutions), not even Cellbrite can do a DFE.