A large sway of US governmental websites have let their TLS certificates expire due to staffing issues as a government shutdown enters into its 20th day.
A political disagreement over the allocation of funding for border security has brought US government institutes to a standstill, causing widespread disruption throughout federal departments.
As 400,000 federal staff are furloughed and many received a pay check this week that had zero dollars in it, government employees are remaining at home, while essential staff are calling in sick in protest. This is causing the day-to-day maintenance and upkeep of department websites to lag into dangerous territory.
It is estimated that over 80 websites with the .gov domain now have expired TLS certificates as no IT staff are currently being paid to maintain the .gov websites.
TLS or Transport Layer Security is essentially an updated version of Secure Sockets Layer (SSL). Both SSL and TLS allow users to interact with websites in a secure manner. They do this by encrypting any data that is transferred between the user and the website, or between two systems.
The lack of up-to-date certificates is causing websites that are HTTPS-protected to issue ‘connection not private’ warnings to users as they try to access them. While some websites which are listed on the Chromium’s HTTP Strict Transport Security (HSTS) list cannot be accessed at all.
HSTS is a security measure used widely on browsers such as Chrome and Firefox that forces browsers to only connect with webpages that are using secure encrypted protocols. Many sites such as a Department of Justice page cannot be accessed due to HSTS restrictions and are displaying warnings stating “CERT_DATE_INVALID” such as the one below form a DoJ site,
Martin Thorpe Enterprise Architect at Venafi told Computer Business Review: “The US shutdown has now left a mark on the digital world. At best, this isn’t a good look for the government departments concerned. At worst, the thousands of Americans who rely on these websites are left cut off from the services they need.”
“The reality is that many organisations struggle to prevent website outages at the best of times, overlooking the importance of certificates. These certificates provide every machine – whether it’s a website, application or device, with an identity. Without them, machines can’t trust each other when they communicate. Regardless of how reputable the DoD and other government departments may be, the expiry of their online identity means that every major browser just can’t trust them.”
While the HSTS acts as barrier to stop user from accessing sites that posses a danger to users, often many are not configured or implemented correctly.
Internet research agency Netcraft say that: “Only 1 in 20 HTTPS servers correctly implements HTTP Strict Transport Security.”
This leaves each site without HSTS policies in place open to man-in-the-middle attacks and the issue is further compounded as government sites allow their TLS certificates expire.
“Any organisation can prevent website outages by managing their certificates properly, but as with so many other aspects of the government shutdown, these concerns have been swept under the rug,” Martin Thorpe commented.