U.S. Government Shutdown Leaves Its Sites with Expired TLS Certificates

CyberTech

Level 44
Thread author
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
Following a partial U.S. government shutdown caused by a deadlock on the issue of the Mexican border wall between the Democratic Party and Donald Trump, tens of government websites can no longer be accessed or have been marked as using insecure connections because their TLS certificates have not been renewed.

The websites of the U.S. Department of Justice, NASA, and the Court of Appeals are some of the ones hit by the government's failure to extend around 80 TLS certificates used on .gov domains.

.gov websites with expired certificates on the HSTS preload list now inaccessible

One of the websites affected by this mishap is Department of Justice's https://ows2.usdoj.gov/, which displays an error message warning visitors that the connection is not private or secure, depending on the used web browsers.

To make things worse, because ows2.usdoj.gov is also on Chromium's HTTP Strict Transport Security (HSTS) preload list, the website will not be accessible given that both Google Chrome and Mozilla Firefox will automatically hide the button allowing users to temporarily ignore the warning and open the website.

ows2_usdoj_gov.png

Expired ows2.usdoj.gov TLS certificate

Furthermore, seeing that most other web browsers also use their own HSTS preload lists based on the Chrome one, there is nothing users can do to load the .gov websites temporarily broken by the expired TLS certificates.

The government sites not on the HSTS preload list will open after users click on the 'Advanced" button at the end of the warning and choose to proceed, but there are risks involved in doing that.


Expired certificates increase the risk of fraud and identity theft

According to GlobalSign, people who still choose to use websites with expired TLS certificates are exposed to:


Personal information at risk from man-in-the-middle attacks
Individual susceptible to fraud and identity theft
"Until US Congress resumes services it is inevitable that we will see expired certificates and this example just goes to show how vulnerable organizations who are susceptible to shutdown can be" said GlobalSign’s Managing Director, Paul Tourret.

"As more and more certificates used by government websites inevitably expire over the following days, weeks — or maybe even months — there could be some realistic opportunities to undermine the security of all U.S. citizens," according to Netcraft's Paul Mutton who discovered the expired .gov TLS certificates and the issues they're causing.

Update: Removed the "insecure" term from the title to avoid confusion.
 

Michyon

Level 2
Verified
May 18, 2018
50
I know this might be a far call, but censored by this way? is it possible to work around this
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top