More than 80 TLS certificates used by .gov websites have expired amidst the ongoing shutdown of the U.S. federal government.
According to Netcraft, web browsers are warning visitors to dozens of government websites that their connections are no longer secure. Most of these alert messages are the result of expired TLS certificates. Google Chrome said as much to a visitor of a U.S. Court of Appeals website that provides links to a document filing system and PACER (Public Access to Court Electronic Records), as seen in the screenshot below. Chrome listed the connection as insecure because the website’s Digicert certificate expired on 5 January 2019 and has yet to be renewed.
Clearly, the visitor can still access the U.S. Court of Appeals website. Users should think twice before ignoring their web browsers’ warnings, however. If they do, they could expose themselves to man-in-the-middle (MitM) attacks.
“The US shutdown has now left a mark on the digital world. Several government websites, such as the DoD, now greet users with a "CERT_DATE_INVALID" warning in place of the website itself. At best, this isn’t a good look for the government departments concerned,” cautions Martin Thorpe, Enterprise Architect for Venafi. “At worst, the thousands of Americans who rely on these websites are left cut off from the services they need.”
It’s a different story with other government websites that have recently suffered a certificate outage. Just look at what Chrome showed to a visitor of https://ows2.usdoj.gov, a U.S. Department of Justice website whose digital certificate expired on 17 December 2018:
What’s causing this difference of display as compared to the U.S. Court of Appeals website? Netcraft provides the answer in a blog post:
In a twist of fate, the usdoj.gov domain — and all of its subdomains — are included in Chromium's HSTS preload list. This is a prudent security measure which forces modern browsers to only use secure, encrypted protocols when accessing the U.S. DoJ websites; however, it will also prevent users from visiting the HTTPS sites when an expired certificate is encountered. In these cases, modern browsers like Google Chrome and Mozilla Firefox deliberately hide the advanced option that would let the user bypass the warning and continue through to the site.
As a result, users can’t enter the site and leverage it to access crucial information related to the Justice Department.
The exact cause of these outages isn’t known. Even so, many in the information security community reason that the ongoing federal shutdown has something to do with them.
Regardless of their cause, outages remain a serious challenge for any organization, let alone a government body. Venafi’s Martin Thorpe notes, “The reality is that many organizations struggle to prevent website outages at the best of times, overlooking the importance of certificates. These certificates provide every machine—whether it’s a website, application or device, with an identity. Without them, machines can’t trust each other when they communicate. Regardless of how reputable the DoJ and other government departments may be, the expiry of their online identity means that every major browser just can’t trust them.”
The heart of this shutdown is a conflict between President Donald Trump and Democrats on funding for border security. As reported by The Washington Post, the former wants $5.7 billion to build more than 200 miles of a new wall along the U.S.-Mexican border, while the latter is refusing to give the President more than $1.3 billion to fund existing border security measures.
There’s no sign of either side relenting on their position. Reflecting his refusal to compromise with Democrats, President Trump said that the shutdown could last “months, even years.” This spells trouble for the 800,000 federal employees either furloughed or left to work without pay as a result of the shutdown.
The federal shutdown is an extenuating circumstance, to be sure. But it’s not uncommon for a website (or cellular service in 11 countries) to go down as a result of an expired certificate. That’s why organizations need a comprehensive platform that can automatically monitor their certificates for weaknesses and upcoming expiration.
“Any organization can prevent website outages by managing their certificates properly” notes Thorpe, “But as with so many other aspects of the government shutdown, these concerns have been swept under the rug.”