80+ .gov SSL/TLS Certificates have expired during the shutdown
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

80+ .gov SSL/TLS Certificates have expired during the shutdown

The government shutdown continues, and more and more sites are going down.

Right now dozens of US government websites are unreachable as a result of certificate expirations during the shutdown. This has affected agencies like NASA, the US Department of Justice and the Court of Appeals and include government payment portals and remote access services.

More than 80 SSL/TLS certificates have expired over the 21+ days this shutdown has gone on for, and that is only exacerbated by the fact some of these websites are on the HSTS preload list, which makes them unreachable.

So, today we’re going to talk about certificate expiry and the double-edged sword that is the HSTS preload list.

Let’s hash it out.

This is what happens when your SSL/TLS certificate expires

We talk all the time about what happens when your SSL/TLS certificate expires. We toss out high profile examples like Ericsson, Equifax, LinkedIn, Cisco—you name it. Most of those cases were a result of negligence or oversight.

This, however, is a direct result of the current US government shutdown.

We already talked, earlier this week, about how catastrophic this shutdown was going to be to the US Cybersecurity apparatus long-term. That’s because, much like the 2013 shutdown did with the NSA, this is going to dissuade the best and the brightest from taking a government job instead of heading to the far more lucrative private sector.

But, there are still some employees that have stayed on to handle the “essential” functions required for cyber defense. Apparently, certificate management was not considered an essential function, which is why – according to Netcraft – over 80 SSL/TLS certificates have expired since the shutdown.

…the hundreds of thousands of unpaid federal employees might not be the only ones hurting. As more and more certificates used by government websites inevitably expire over the following days, weeks — or maybe even months — there could be some realistic opportunities to undermine the security of all U.S. citizens.

Paul Mutton, Netcraft

The HSTS Preload List is not helping in this case

As you no doubt are aware, HSTS or HTTP Strict Transport Security, is a security header that forces browsers to only attempt HTTPS connections. Or to put it another way, it eliminates the ability for anyone to make non-encrypted HTTP connections with your site.

Unfortunately, there’s a tiny little window where an internet user is vulnerable. It exists on the very first visit to a given website, before the header has been downloaded. To close this window, many sites, like the Department of Justice’s, add themselves to the HSTS preload list. Browsers know to only make secure HTTPS connections with any site on the list, even if the users has never visited it before.

You can probably see where this is going… ows2.usdoj.gov, is a DOJ website with an SSL/TLS certificate that expired on Dec. 17. It has not been renewed. The site is down and cannot be reached. That’s actually not the worst thing in the world, and it’s far more secure than finding a way to connect via HTTP.

Ironically, the government’s own ineptitude has saved some websites from HSTS pitfall.

However, only a few of the affected .gov sites implement correctly-functioning HSTS policies. Just a handful of the sites appear in the HSTS preload list, and only a small proportion of the rest attempt to set a policy via the Strict-Transport-Security HTTP header – but the latter policies will not be obeyed when they are served alongside an expired certificate, and so will only be effective if the user has already visited the sites before.

As a result, most of these websites will just display the standard interstitial warning that usually comes with an expired certificate.  A few sites will even allow you to get to their login pages via HTTP if you click through the connection.

Obviously, don’t do that.

As always, leave any comments or questions below…


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.