More websites breaking as certificates expire during government shutdown
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

More websites breaking as certificates expire during government shutdown

The count is now over 130, clearly certificate management is not an “essential function” of government.

As we reported last week, due to the current shutdown, many key security personnel are furloughed with only those serving “essential” functions staying on.

Then we touched on the fact that, clearly, certificate management wasn’t seen as essential because over 80 government websites had now suffered a certificate expiry, making many unreachable.

Predictably, that trend has continued, there are now over 130 broken websites as a result of expired SSL/TLS certificates.

So today we’ll look a little deeper at the problem, and then give a list of all the websites that are set to expire if the shutdown continues.

Let’s hash it out

This certificate expiration problem looks to get a lot worse

What’s frustrating about this entire issue is that it’s easily avoidable and also easily fixed, it’s just not a big enough problem that the parties responsible have been ordered back to work, as the Washington Post reports:

The certificates are designed to expire — some as frequently as every three months — to prevent a malicious actor from obtaining them and then impersonating a legitimate site. But it is rare for an expiration to last very long.

How much worse could this get? TechCrunch has compiled a list of prominent websites with certificates set to expire in the next month and a half. It’s not good:

Expired:

Expiring in January:

Federal domains that will expire by mid-February

Federal domains that will expire by the end of February

What makes this problem worse is that many of these websites have been added to the HSTS preload list. The preload list, which is used by all major browsers, forces HTTPS connections anytime someone attempts to access the site. This is great for security, unless your certificate is expired. Then it breaks your site, making it impossible to access.

When we say that websites are “broken,” this is what’s meant.

Will all of these sites break?

While there doesn’t seem to be any indication that either of the sides are relenting, the shutdown is going to end eventually. But, my bet is that before that you’ll see the individuals responsible called in to fix the problem.

That, or someone else that usually isn’t tasked with certificate management will be called on to do it. That could actually cause even more problems because it will be occurring outside of the usual work flows and that’s how you end up with shadow certificates – and those cause problems, too.

Either way, this can’t continue to happen much longer.

Ironically, this may be one of the most tangible ways that many Americans feel the shutdown. It would prove highly amusing if this issue, lack of access to government websites, is one of the things that incited the public enough to start pressuring representatives and senators for a resolution.

As always, leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.
Be the first to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha *

Author

Patrick Nohe

Hashed Out's Editor-in-Chief started his career as a beat reporter and columnist for the Miami Herald. He also serves as Content Manager for The SSL Store™.