(No Ratings Yet)

Loading...

• Facebook
• Twitter
• LinkedIn
• Mail

January 18, 2019 1

More websites breaking as certificates expire during government shutdown

in Hashing Out Cyber Security

The count is now over 130, clearly certificate management is not an “essential function” of government.

As we reported last week, due to the current shutdown, many key security personnel are furloughed with only those serving “essential” functions staying on.

Then we touched on the fact that, clearly, certificate management wasn’t seen as essential because over 80 government websites had now suffered a certificate expiry, making many unreachable.

Predictably, that trend has continued, there are now over 130 broken websites as a result of expired SSL/TLS certificates.

So today we’ll look a little deeper at the problem, and then give a list of all the websites that are set to expire if the shutdown continues.

Let’s hash it out

This certificate expiration problem looks to get a lot worse

What’s frustrating about this entire issue is that it’s easily avoidable and also easily fixed, it’s just not a big enough problem that the parties responsible have been ordered back to work, as the Washington Post reports:

The certificates are designed to expire — some as frequently as every three months — to prevent a malicious actor from obtaining them and then impersonating a legitimate site. But it is rare for an expiration to last very long.

How much worse could this get? TechCrunch has compiled a list of prominent websites with certificates set to expire in the next month and a half. It’s not good:

Expired:

• disasterhousing.gov — December 28
• landimaging.gov — January 3
• earthsystemprediction.gov — January 11 — the National Earth System Prediction Capability
• manufacturing.gov — January 14 — a portal highlighting national manufacturing initiatives.
• nationalhousinglocator.gov — January 16

Expiring in January:

• scidac.gov — January 23
• ginniemae.gov — January 23
• reportband.gov — January 23
• mojavedata.gov — January 26
• congressionaldirectory.gov — January 30 — a redirect to the directory of Congress
• congressionalrecord.gov — January 30 — another redirect to the congressional record
• fdsys.gov — January 30
• housecalendar.gov — January 30 — a redirect pointing hosting the House calendar
• presidentialdocuments.gov — January 30 — Compilation of Presidential Documents
• senatecalendar.gov — January 30 — a redirect to the Senate calendar
• uscode.gov — January 30
• donaciondeorganos.gov — January 30
• www.fishwatch.gov — January 30

Federal domains that will expire by mid-February

• ferc.gov — February 1 — Federal Energy Regulatory Commission
• askkaren.gov — February 1
• befoodsafe.gov — February 1 — a redirecting link to the Department of Agriculture
• foodsafetyjobs.gov — February 1
• isitdoneyet.gov — February 1
• pregunteleakaren.gov — February 1
• www.democraticleader.gov — February 2 — website of the House majority leader
• majorityleader.gov — February 2 — redirecting link to the House majority’s page
• www.democraticwhip.gov — February 2 — website of the Congressional Democratic whip
• majoritywhip.gov — February 2 — redirecting link to Democratic whip’s page
• llnl.gov — February 2 — Lawrence Livermore National Laboratory
• moneyfactory.gov — February 6
• federalregister.gov — February 7 — the Federal Register
• wlci.gov — February 7
• fedrooms.gov — February 10
• floodsmart.gov — February 10 — the National Flood Insurance Program
• www.casl.gov — February 11
• geoplatform.gov — February 12 — the U.S. Geospatial Platform
• fatherhood.gov — February 13
• eeoc.gov — February 13 — the Equal Employment Opportunity Commission
• www.faa.gov — February 13 — the Federal Aviation Administration
• grants.gov — February 15
• indianaffairs.gov — February 15 — Department of the Interior’s Indian Affairs bureau
• jusfc.gov — February 15

Federal domains that will expire by the end of February

• bia.gov — February 18 — another link to Indian Affairs
• presidentialinnovationfellows.gov — February 18
• usich.gov — February 18
• cdfifund.gov — February 18
• home.treasury.gov — February 18 — the end domain to the U.S. Treasury homepage
• financialstability.gov — February 18
• fsoc.gov — February 18
• irsauctions.gov — February 18
• irssales.gov — February 18
• makinghomeaffordable.gov — February 18
• mha.gov — February 18
• sigtarp.gov — February 18
• treas.gov — February 18
• ustreas.gov — February 18 — a redirect to the U.S. Treasury
• capnhq.gov — February 19 — another redirect link to the U.S. Treasury
• fdicseguro.gov — February 19
• sftool.gov — February 21
• nlm.gov — February 21 — the National Library of Medicine
• bea.gov — February 22
• opioids.gov — February 22 — the White House’s page on the opioids epidemic
• jamesmadison.gov — February 24
• usitc.gov — February 24 — the U.S. International Trade Commission
• arctic.gov — February 25
• inspire2serve.gov — February 26
• usaspending.gov — February 26
• sec.gov — February 26 — the Securities and Exchange Commission
• everytrycounts.gov — February 27
• abandonedmines.gov — February 27
• malwareinvestigator.gov — February 28 — the FBI’s malware analysis site
• va.gov — February 28 — Department of Veterans Affairs
• code.gov — February 28 — Code.gov for Sharing America’s Code

What makes this problem worse is that many of these websites have been added to the HSTS preload list. The preload list, which is used by all major browsers, forces HTTPS connections anytime someone attempts to access the site. This is great for security, unless your certificate is expired. Then it breaks your site, making it impossible to access.

When we say that websites are “broken,” this is what’s meant.

Will all of these sites break?

While there doesn’t seem to be any indication that either of the sides are relenting, the shutdown is going to end eventually. But, my bet is that before that you’ll see the individuals responsible called in to fix the problem.

That, or someone else that usually isn’t tasked with certificate management will be called on to do it. That could actually cause even more problems because it will be occurring outside of the usual work flows and that’s how you end up with shadow certificates – and those cause problems, too.

Either way, this can’t continue to happen much longer.

Ironically, this may be one of the most tangible ways that many Americans feel the shutdown. It would prove highly amusing if this issue, lack of access to government websites, is one of the things that incited the public enough to start pressuring representatives and senators for a resolution.

As always, leave any comments or questions below…