![20 Ransomware Statistics You’re Powerless to Resist Reading [Updated for 2024]](https://www.thesslstore.com/blog/wp-content/uploads/2022/05/ransomware-statisitcs-2024-feature-75x94.jpg)
![The Latest Quantum Computing & Cryptography News Round Up [September 2024 Edition]](https://www.thesslstore.com/blog/wp-content/uploads/2024/09/quantum-computing-news-feature2-75x94.jpg)
(1 votes, average: 5.00 out of 5, rated)
Loading...80+ .gov SSL/TLS Certificates have expired during the shutdown
The government shutdown continues, and more and more sites are going down.
Right now dozens of US government websites are unreachable as a result of certificate expirations during the shutdown. This has affected agencies like NASA, the US Department of Justice and the Court of Appeals and include government payment portals and remote access services.
More than 80 SSL/TLS certificates have expired over the 21+ days this shutdown has gone on for, and that is only exacerbated by the fact some of these websites are on the HSTS preload list, which makes them unreachable.
So, today we’re going to talk about certificate expiry and the double-edged sword that is the HSTS preload list.
Let’s hash it out.
This is what happens when your SSL/TLS certificate expires
We talk all the time about what happens when your SSL/TLS certificate expires. We toss out high profile examples like Ericsson, Equifax, LinkedIn, Cisco—you name it. Most of those cases were a result of negligence or oversight.
This, however, is a direct result of the current US government shutdown.
We already talked, earlier this week, about how catastrophic this shutdown was going to be to the US Cybersecurity apparatus long-term. That’s because, much like the 2013 shutdown did with the NSA, this is going to dissuade the best and the brightest from taking a government job instead of heading to the far more lucrative private sector.
But, there are still some employees that have stayed on to handle the “essential” functions required for cyber defense. Apparently, certificate management was not considered an essential function, which is why – according to Netcraft – over 80 SSL/TLS certificates have expired since the shutdown.
…the hundreds of thousands of unpaid federal employees might not be the only ones hurting. As more and more certificates used by government websites inevitably expire over the following days, weeks — or maybe even months — there could be some
Paul Mutton, Netcraftrealistic opportunities to undermine the security of all U.S. citizens.
The HSTS Preload List is not helping in this case
As you no doubt are aware, HSTS or HTTP Strict Transport Security, is a security header that forces browsers to only attempt HTTPS connections. Or to put it another way, it eliminates the ability for anyone to make non-encrypted HTTP connections with your site.
Unfortunately, there’s a tiny little window where an internet user is vulnerable. It exists on the very first visit to a given website, before the header has been downloaded. To close this window, many sites, like the Department of Justice’s, add themselves to the HSTS preload list. Browsers know to only make secure HTTPS connections with any site on the list, even if the users has never visited it before.
You can probably see where this is going… ows2.usdoj.gov, is a DOJ website with an SSL/TLS certificate that expired on Dec. 17. It has not been renewed. The site is down and cannot be reached. That’s actually not the worst thing in the world, and it’s far more secure than finding a way to connect via HTTP.
Ironically, the government’s own ineptitude has saved some websites from HSTS pitfall.
However, only a few of the affected .gov sites implement correctly-functioning HSTS policies. Just a handful of the sites appear in the HSTS preload list, and only a small proportion of the rest attempt to set a policy via the Strict-Transport-Security HTTP header – but the latter policies will not be obeyed when they are served alongside an expired certificate, and so will only be effective if the user has already visited the sites before.
As a result, most of these websites will just display the standard interstitial warning that usually comes with an expired certificate. A few sites will even allow you to get to their login pages via HTTP if you click through the connection.
Obviously, don’t do that.
As always, leave any comments or questions below…
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown