CAP CyberPatriot Playbook

Started by Paul Creed III, June 14, 2017, 12:46:42 PM

0 Members and 1 Guest are viewing this topic.

Paul Creed III

The National Cadet Cyber Programs team has written the "CAP CyberPatriot Playbook" to help new coaches and mentors in their endeavors with creating and making their CyberPatriot team successful. 

The CyberPatriot Playbook has been posted to the National Cyber Programs website at http://www.cap-cyber.org/index.php/resources and will be updated as often as necessary.

Please feel free to contact me at paul.creed@ohwg.cap.gov with any questions or comments about the Playbook. Input is welcome from the field to improve the Playbook for all of Civil Air Patrol.
Lt Col Paul Creed III, CAP
Group 3 Ohio Wing sUAS Program Manager

Holding Pattern

Please fix the https certificate.

Paul Creed III

Quote from: Mordecai on June 14, 2017, 07:48:24 PM
Please fix the https certificate.

Can you please clarify where the certificate error is occuring?
Lt Col Paul Creed III, CAP
Group 3 Ohio Wing sUAS Program Manager

Holding Pattern

Any use of https on that site is throwing the chrome flag of evil.

Your connection is not private

Attackers might be trying to steal your information from www.cap-cyber.org (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID

TG2

Quote from: Mordecai on June 14, 2017, 08:00:27 PM
Any use of https on that site is throwing the chrome flag of evil.

Your connection is not private

Attackers might be trying to steal your information from www.cap-cyber.org (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID

Mordecai
The error "CERT_AUTHORITY_INVALID" comes from the fact that it is a self-signed certificate.  Hence the "Authority" that issued the cert is not a known and established certificate authenticator.  (authenticators are updated routinely in your browser without the users direct knowledge)

The connection is still secure, so long as you trust the site that you're dealing with, and with concern on what you are sharing.  Would I share banking information with cap-cyber.org? no, but for encrypting user/pass and the like, which are unique to that site and only that site, sure.

Certs cost money, and I wouldn't begrudge a site the use of self signed certs so long as I know and trust the site.  Additionally given the level of trust needed, adding the self signed cert to the allowed registry/repository on local machines would allow you to bypass the error.

If you were to use Firefox, you could easily add an exception to the error, while it would still show you invalid certificate iconography in the URL bar.  (eg showing red or line through lock while having HTTPS displayed)

Google (ergo Chrome) is not the authority their statements purport them to be.

Spaceman3750

https://letsencrypt.org

You and I might know there's no technical issue with a self signed cert, but it's difficult to assert a site as an authority on cyber defense training when it generates security warnings.

etodd

Quote from: Mordecai on June 14, 2017, 07:48:24 PM
Please fix the https certificate.

The link he gave in the post didn't have the https

Its a public link. Does he need to password the page?
"Don't try to explain it, just bow your head
Breathe in, breathe out, move on ..."

Holding Pattern

Quote from: Spaceman3750 on June 15, 2017, 01:18:00 AM
https://letsencrypt.org

You and I might know there's no technical issue with a self signed cert, but it's difficult to assert a site as an authority on cyber defense training when it generates security warnings.

Precisely this.

Holding Pattern

Quote from: etodd on June 15, 2017, 02:14:24 AM
Quote from: Mordecai on June 14, 2017, 07:48:24 PM
Please fix the https certificate.

The link he gave in the post didn't have the https

Its a public link. Does he need to password the page?

My browser promotes webpages to https whenever available. Using proper certificates is a cybersecurity best practice that is completely free to do thanks to let's encrypt. If they don't want people using https, they should disable the service on the secure port.

keystone102

I smell a lesson on self signed certicates coming on. I do encourage CyberPatriot leaders to create lessons on getting a certificate from a commercial CA or Let's Encrypt. We should encourage all webmasters to use TLS/SSL on their websites.