Expired certs aren’t being replaced

The partial US federal government shutdown is starting to have a negative effect on web security.

Dozens of US government websites have been “rendered either insecure or inaccessible” because TLS certificates have expired during a time when agencies are so short staffed that system maintenance work has been put on hold.

Government payment portals and sites run by NASA, the US Department of Justice, and the Court of Appeals are among those affected by the expired certificate issue, security firm Netcraft reports.

“With around 400,000 federal employees currently furloughed, more than 80 TLS certificates used by .gov websites have so far expired without being renewed,” Netcraft’s Paul Mutton explains in a blog post.

“To compound the situation, some of these abandoned websites can no longer be accessed due to strict security measures that were implemented long before the shutdown started.”

Among the 80 or so sites affected is a US Department of Justice (DoJ) website, whose certificate expired on December 17, just days before the shutdown began.

DoJ subdomains are among many government sites covered by an HTTP Strict Transport Security (HSTS) policy. The technology forbids users from clicking through warnings to access https sites with expired certificates.

While HSTS is intended to improve security in the circumstances of a US government shutdown, it has made it a minefield for US citizen to access US government sites and services.

Without the automatic renewal of certificates, even more sites would be affected by the growing expired certificate problem, Netcraft’s Mutton told The Daily Swig.

“Many of the unaffected sites are using certificates that can be – and probably were – automatically renewed,” he said.

The situation will only get worse as the partial shutdown grinds on with little sign of any prompt resolution.

Netcraft’s Mutton concluded: “As more and more certificates used by government websites inevitably expire over the following days, weeks – or maybe even months – there could be some realistic opportunities to undermine the security of all US citizens.”

Elsewhere, the function of US government security related agencies such as NIST.gov has also been affected by the funding freeze.

Suzanne Spaulding, an advisor at security vendor Nozomi Networks and former DHS Under Secretary, warned: “With each passing day, the impact of the government shutdown on our nation's security grows… Cybersecurity is hard enough with a full team. Operating at less than half strength means we are losing ground against our adversaries.”

The US government shutdown comes while the newly established US Cybersecurity and Infrastructure Security Agency (CISA), a division of the DHS, is trying to get its operations up and running. Nearly half (45%) of workers are reportedly away from work on involuntary leave.

The partial shutdown of the US government comes at the worst possible time for CISA, according to Spaulding.

“Getting this agency fully operational requires a lot of work and it’s like repairing an airplane while you’re flying it,” Spaulding explained.

“You try to avoid disrupting the critical operational activity even while you make changes to improve the organization. This shutdown is a disruption CISA can ill afford.”

Martin Thorpe, enterprise architect at digital certificate firm Venafi, added: “The US shutdown has now left a mark on the digital world. Several government websites, such as the DoD, now greet users with a ‘CERT_DATE_INVALID’ warning in place of the website itself.

“At best, this isn’t a good look for the government departments concerned. At worst, the thousands of Americans who rely on these websites are left cut off from the services they need.”