The government shutdown continues, and more and more sites are going down.
Right now dozens of US government websites are unreachable as a result of certificate expirations during the shutdown. This has affected agencies like NASA, the US Department of Justice and the Court of Appeals and include government payment portals and remote access services.
More than 80 SSL/TLS certificates have expired over the 21+ days this shutdown has gone on for, and that is only exacerbated by the fact some of these websites are on the HSTS preload list, which makes them unreachable.
So, today we’re going to talk about certificate expiry and the double-edged sword that is the HSTS preload list.
Let’s hash it out.
This is what happens when your SSL/TLS certificate expires
We talk all the time about what happens when your SSL/TLS certificate expires. We toss out high profile examples like Ericsson, Equifax, LinkedIn, Cisco—you name it. Most of those cases were a result of negligence or oversight.
This, however, is a direct result of the current US government shutdown.
We already talked, earlier this week, about how catastrophic this shutdown was going to be to the US Cybersecurity apparatus long-term. That’s because, much like the 2013 shutdown did with the NSA, this is going to dissuade the best and the brightest from taking a government job instead of heading to the far more lucrative private sector.
But, there are still some employees that have stayed on to handle the “essential” functions required for cyber defense. Apparently, certificate management was not considered an essential function, which is why – according to Netcraft – over 80 SSL/TLS certificates have expired since the shutdown.
…the hundreds of thousands of unpaid federal employees might not be the only ones hurting. As more and more certificates used by government websites inevitably expire over the following days, weeks — or maybe even months — there could be somePaul Mutton, Netcraft
realisticopportunities to undermine the security of all U.S. citizens.
The HSTS Preload List is not helping in this case
As you no doubt are aware, HSTS or HTTP Strict Transport Security, is a security header that forces browsers to only attempt HTTPS connections. Or to put it another way, it eliminates the ability for anyone to make non-encrypted HTTP connections with your site.
Unfortunately, there’s a tiny little window where an internet user is vulnerable. It exists on the very first visit to a given website, before the header has been downloaded. To close this window, many sites, like the Department of Justice’s, add themselves to the HSTS preload list. Browsers know to only make secure HTTPS connections with any site on the list, even if the users has never visited it before.
You can probably see where this is going… ows2.usdoj.gov, is a DOJ website with an SSL/TLS certificate that expired on Dec. 17. It has not been renewed. The site is down and cannot be reached. That’s actually not the worst thing in the world, and it’s far more secure than finding a way to connect via HTTP.
Ironically, the government’s own ineptitude has saved some websites from HSTS pitfall.
However, only a few of the affected .gov sites implement correctly-functioning HSTS policies. Just a handful of the sites appear in the HSTS preload list, and only a small proportion of the rest attempt to set a policy via the Strict-Transport-Security HTTP header – but the latter policies will not be obeyed when they are served alongside an expired certificate, and so will only be effective if the user has already visited the sites before.
As a result, most of these websites will just display the standard interstitial warning that usually comes with an expired certificate. A few sites will even allow you to get to their login pages via HTTP if you click through the connection.
Obviously, don’t do that.
As always, leave any comments or questions below…