More websites breaking as certificates expire during government shutdown
The count is now over 130, clearly certificate management is not an “essential function” of government.
As we reported last week, due to the current shutdown, many key security personnel are furloughed with only those serving “essential” functions staying on.
Then we touched on the fact that, clearly, certificate management wasn’t seen as essential because over 80 government websites had now suffered a certificate expiry, making many unreachable.
Predictably, that trend has continued, there are now over 130 broken websites as a result of expired SSL/TLS certificates.
So today we’ll look a little deeper at the problem, and then give a list of all the websites that are set to expire if the shutdown continues.
Let’s hash it out
This certificate expiration problem looks to get a lot worse
What’s frustrating about this entire issue is that it’s easily avoidable and also easily fixed, it’s just not a big enough problem that the parties responsible have been ordered back to work, as the Washington Post reports:
The certificates are designed to expire — some as frequently as every three months — to prevent a malicious actor from obtaining them and then impersonating a legitimate site. But it is rare for an expiration to last very long.
How much worse could this get? TechCrunch has compiled a list of prominent websites with certificates set to expire in the next month and a half. It’s not good:
Expired:
- disasterhousing.gov — December 28
- landimaging.gov — January 3
- earthsystemprediction.gov — January 11 — the National Earth System Prediction Capability
- manufacturing.gov — January 14 — a portal highlighting national manufacturing initiatives.
- nationalhousinglocator.gov — January 16
Expiring in January:
- scidac.gov — January 23
- ginniemae.gov — January 23
- reportband.gov — January 23
- mojavedata.gov — January 26
- congressionaldirectory.gov — January 30 — a redirect to the directory of Congress
- congressionalrecord.gov — January 30 — another redirect to the congressional record
- fdsys.gov — January 30
- housecalendar.gov — January 30 — a redirect pointing hosting the House calendar
- presidentialdocuments.gov — January 30 — Compilation of Presidential Documents
- senatecalendar.gov — January 30 — a redirect to the Senate calendar
- uscode.gov — January 30
- donaciondeorganos.gov — January 30
- www.fishwatch.gov — January 30
Federal domains that will expire by mid-February
- ferc.gov — February 1 — Federal Energy Regulatory Commission
- askkaren.gov — February 1
- befoodsafe.gov — February 1 — a redirecting link to the Department of Agriculture
- foodsafetyjobs.gov — February 1
- isitdoneyet.gov — February 1
- pregunteleakaren.gov — February 1
- www.democraticleader.gov — February 2 — website of the House majority leader
- majorityleader.gov — February 2 — redirecting link to the House majority’s page
- www.democraticwhip.gov — February 2 — website of the Congressional Democratic whip
- majoritywhip.gov — February 2 — redirecting link to Democratic whip’s page
- llnl.gov — February 2 — Lawrence Livermore National Laboratory
- moneyfactory.gov — February 6
- federalregister.gov — February 7 — the Federal Register
- wlci.gov — February 7
- fedrooms.gov — February 10
- floodsmart.gov — February 10 — the National Flood Insurance Program
- www.casl.gov — February 11
- geoplatform.gov — February 12 — the U.S. Geospatial Platform
- fatherhood.gov — February 13
- eeoc.gov — February 13 — the Equal Employment Opportunity Commission
- www.faa.gov — February 13 — the Federal Aviation Administration
- grants.gov — February 15
- indianaffairs.gov — February 15 — Department of the Interior’s Indian Affairs bureau
- jusfc.gov — February 15
Federal domains that will expire by the end of February
- bia.gov — February 18 — another link to Indian Affairs
- presidentialinnovationfellows.gov — February 18
- usich.gov — February 18
- cdfifund.gov — February 18
- home.treasury.gov — February 18 — the end domain to the U.S. Treasury homepage
- financialstability.gov — February 18
- fsoc.gov — February 18
- irsauctions.gov — February 18
- irssales.gov — February 18
- makinghomeaffordable.gov — February 18
- mha.gov — February 18
- sigtarp.gov — February 18
- treas.gov — February 18
- ustreas.gov — February 18 — a redirect to the U.S. Treasury
- capnhq.gov — February 19 — another redirect link to the U.S. Treasury
- fdicseguro.gov — February 19
- sftool.gov — February 21
- nlm.gov — February 21 — the National Library of Medicine
- bea.gov — February 22
- opioids.gov — February 22 — the White House’s page on the opioids epidemic
- jamesmadison.gov — February 24
- usitc.gov — February 24 — the U.S. International Trade Commission
- arctic.gov — February 25
- inspire2serve.gov — February 26
- usaspending.gov — February 26
- sec.gov — February 26 — the Securities and Exchange Commission
- everytrycounts.gov — February 27
- abandonedmines.gov — February 27
- malwareinvestigator.gov — February 28 — the FBI’s malware analysis site
- va.gov — February 28 — Department of Veterans Affairs
- code.gov — February 28 — Code.gov for Sharing America’s Code
What makes this problem worse is that many of these websites have been added to the HSTS preload list. The preload list, which is used by all major browsers, forces HTTPS connections anytime someone attempts to access the site. This is great for security, unless your certificate is expired. Then it breaks your site, making it impossible to access.
When we say that websites are “broken,” this is what’s meant.
Will all of these sites break?
While there doesn’t seem to be any indication that either of the sides are relenting, the shutdown is going to end eventually. But, my bet is that before that you’ll see the individuals responsible called in to fix the problem.
That, or someone else that usually isn’t tasked with certificate management will be called on to do it. That could actually cause even more problems because it will be occurring outside of the usual work flows and that’s how you end up with shadow certificates – and those cause problems, too.
Either way, this can’t continue to happen much longer.
Ironically, this may be one of the most tangible ways that many Americans feel the shutdown. It would prove highly amusing if this issue, lack of access to government websites, is one of the things that incited the public enough to start pressuring representatives and senators for a resolution.
As always, leave any comments or questions below…
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown