Government Shutdown Means Government Website Security Certs Aren't Being Renewed

from the it's-the-little-things dept

With all the news about the ongoing government shutdown and the big messes it has caused, it’s creating lots of little messes with potentially big impact as well. For example, scammers and robocallers have upped their game during the shutdown, knowing that (1) there’s no one investigating these scams right now, and (2) as I discovered when I tried to report one, the FTC has literally shut down the web portal where you used to be able to submit complaints.

Another one, however, pointed out last week by Netcraft, is the fact that government website security certificates are expiring… and there’s no one around to renew them:

Dozens of U.S. government websites have been rendered either insecure or inaccessible during the ongoing U.S. federal shutdown. These sites include sensitive government payment portals and remote access services, affecting the likes of NASA, the U.S. Department of Justice, and the Court of Appeals.

With around 400,000 federal employees currently furloughed, more than 80 TLS certificates used by .gov websites have so far expired without being renewed. To compound the situation, some of these abandoned websites can no longer be accessed due to strict security measures that were implemented long before the shutdown started.

As Netcraft notes, some of those sites you can’t even get around the security warning, such as certain DOJ sites:

In a twist of fate, the domain ? and all of its subdomains ? are included in Chromium’s HSTS preload list. This is a prudent security measure which forces modern browsers to only use secure, encrypted protocols when accessing the U.S. DoJ websites; however, it will also prevent users from visiting the HTTPS sites when an expired certificate is encountered. In these cases, modern browsers like Google Chrome and Mozilla Firefox deliberately hide the advanced option that would let the user bypass the warning and continue through to the site.

There are some government websites that you can click through on, but as Netcraft notes, this could allow for man-in-the-middle attacks or other security risks:

This introduces some realistic security concerns, as task-oriented users are more likely to ignore these security warnings, and will therefore render themselves vulnerable to man-in-the-middle attacks.

If the shutdown continues for a while, this problem could get significantly worse. I know that Wall Street put pressure on the government to make certain IRS employees suddenly deemed “essential” to help Wall Street keep functioning smoothly, perhaps someone might want to deem the people renewing security certs similarly essential? Or, you know what, maybe just re-open the damn government.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Government Shutdown Means Government Website Security Certs Aren't Being Renewed”

Subscribe: RSS Leave a comment
PaulT (profile) says:

Re: Re: certificates

I’d imagine automation is something that’s slow to be approved in the public sector. I wouldn’t even be surprised if such a thing is explicitly prevented in order to allow for contract renegotiation, etc. or so as not to imply favouritism toward a specific supplier.

Also, never underestimate the power of management who will favour an inferior solution due to a brand name or because they know a paid solution will give them an out when their incompetence is revealed.

Cowardly Lion says:

Re: Re: Re: certificates

I’d imagine automation is something that’s slow to be approved in the public sector.

Not just slow, but likely to never happen. The UK gov sites we admin are managed by an elaborate paper driven procedure agreed when Edward was on the throne. It’s triggered by an internal Business Team that asks the Technical Team to generate their certificate request files, upon which they then obtain the necessary certs from the providers. Once obtained, they hand them over to an internal Security Team, who audit/vet them before handing them to the Technical Team for implementation. And that’s the simple version; there are other internal/external Business Units and external Security Teams in the loop.

2 weeks minimum. It’s like ‘Yes Minister’, on steroids.

PaulT (profile) says:

Re: Re: Re:2 certificates

That’s what I imagined. I’ve never really worked in the public sector, but I’ve seen the bureaucracy in some larger corporate environments in action and have seen no reason to assume that government work would be more streamlined.

Hopefully some thinking people in the US will take this as a warning, though – if something as predictable and easily automated as certificate renewal is failing, just imagine what else is getting ready to collapse.

Stephen T. Stone (profile) says:

Re: Re: Re:

The longer it stays shut down, the longer people have to realize that the benefits of having it don’t outweigh the negatives.

I would love to believe this is true, but the people who probably should be learning this lesson are likely people who voted into office the man responsible for the shutdown.

Anonymous Coward says:

Re: Government Actually Gets Things Done -- Who Knew?

By “everybody” I think you mean “government employees who have been furloughed and a small handful of others”. The rest of us haven’t really noticed a difference. In fact, it seems to me that the government could shut down every year for all but maybe a couple weeks out of the year and we’d all get to pay less in taxes.

At least there is no new terrible legislation going through right now.

bob says:

Re: Re: Government Actually Gets Things Done -- Who Knew?

You may not notice anything yet but the problem is as this continues you will come to wish the government did operate. Also that the damage to the country will become more permanent.

Yes there are things that can be trimmed from current operations. The problem with a shutdown is that it is like using a chainsaw instead of a scalpel when doing the trimming. You end up losing a lot more than just fat and the opening won’t heal correctly either.

PaulT (profile) says:

Re: Re: Government Actually Gets Things Done -- Who Knew?

“The rest of us haven’t really noticed a difference”

Oh, but you will. I’m sorry to see that you’re so incapable of critical thinking that you have to wait for the damage to hit you personally, rather than take easy preventative measures to stop it from happening.

“we’d all get to pay less in taxes.”

Yet, you apparently support something that’s guaranteed to cost you billions, at minimum. Strange.

Anonymous Coward says:

I’ve been enjoying this government shutdown. Like the national parks having the gates left open and forgoing the $35 entrance fee, free camping, etc. (though by now trash may be getting oppressive) Unlike the Obama shutdown, which went out of its way to force shut everything on federal lands from parks to bike trails to major highways.

But it makes no sense why the can’t government do any labor-shifting, in much the same way that companies routinely handle strikes by sending the executives and engineers to work the assembly lines? The vast majority of the federal government does not do anything that’s essential on a daily basis, and the fully-funded parts, such as the military, could easily switch to other duties.

PaulT (profile) says:

Re: Re:

“the fully-funded parts, such as the military, could easily switch to other duties.”

I don’t know what’s more sad. The fact that you freely admit that the insane amount of money that you spend on your military would be better spent elsewhere. Or, the fact that you believe that your government doesn’t hire anyone with any actual professional knowledge or experience since they’re so easily replaced.

Anonymous Coward says:

Re: Re:

I don’t know about you, but I’m terrified that more government workers aren’t classified as essential. Safety inspectors for the FAA are currently furloughed. That means inspections just aren’t happening. Think about that for a minute. Hell, I’m glad I’m not an airline investor. Between the lack of inspections and the lack of pay for air traffic controllers this shutdown is turning air travel into the worst game of Russian roulette ever. Then again if there is a crash that can be traced to the shutdown as the root cause maybe the airlines will soon be wealthy if they can sue the government for negligence.

Anonymous Coward says:

Re: Re: Re:

The inspectors verify that the airlines have done their jobs. If the airlines can blame-shift their negligence onto the inspectors because they didn’t do the inspection it will be a sad day for us all.

Blame where it’s due. In software we don’t blame our Quality Assurance people when they fail to catch a bug written by Engineering. We praise them when they do but Engineering is at fault for bugs. Always. No difference in other industries.

PaulT (profile) says:

Re: Re: Re: Re:

“If the airlines can blame-shift their negligence onto the inspectors because they didn’t do the inspection it will be a sad day for us all.”

Yet, that’s what they’ll do. Quite often, these things are there because companies cut corners to save money. Plenty of middle management types spend their days raging at people who won’t let them put margins over and above peoples’ safety, because they always believe they know better and the precautions are not necessary.

Now they can take shortcuts and blame the lack of oversight when problems aren’t caught – and you think this won’t happen?

“In software we don’t blame our Quality Assurance people when they fail to catch a bug written by Engineering”

I somehow doubt you’ve ever worked in industry, certainly not for a larger corporate entity.

Anonymous Coward says:

Re: Re:

The vast majority of the federal government does not do
anything that’s essential on a daily basis

Please. Oh PLEASE give me an example. This is your libertarian wet dream. A society without a government telling you what to do.
I am giving you the power. Who do you behead to never return?
Oh please tell me oh wise one who never needs to see a paycheck again?
Please tell me what services are not important enough.

Anonymous Coward says:

Re: Re: Re:

“Please. Oh PLEASE give me an example.”

Just to name one, HUD, the Department of Housing and Urban Development, would be high on my list of “federal agencies that are not just useless, but counter-productive.”

Much of the gargantuan federal government is basically a “workfare” program for minorities. Perhaps it served a real need back in the 1960s when Johnson’s “Great Society” programs were born, but today serves as a lingering remnant of the kind of socialism that even hardline socialist countries abandoned.

Anonymous Coward says:

Re: Re: Re:2 Re:

Quite to the contrary they’re very useful in propping up our corporate overlords who choose not to pay a living wage by subsidizing their serfs’ housing costs. At least under feudalism the vassals would house their serfs.

Anonymous Coward says:

Re: Re:

You know I wouldn’t let a doctor work on my car and I sure as shit wouldn’t want a GI inspecting my food or trying to monitor air quality or hell, being a project manager at the VA. I don’t know what fantasy world you live in where mid level managers know how to drop an engine block into a car or demolitions expert can run IRS tax software.

Bruce C. says:

For all you know they may be doing some labor-shifting, but the upper level appointees are probably bogged down doing the lower level work that’s required for them to do their executive work. Manning the entry booth at a national park doesn’t qualify.

There’s probably also some civil service regulations to prevent Civil Service work being done by appointees. Otherwise it would be too easy to terminate employees for political reasons.

I wish the Dems would pass a bill with a border wall, but also with everything from Student Loan forgiveness to DACA and other immigration reforms. Give Pres. Trump a choice: either a clean bill with no wall, or a bill that funds his symbolic pork-barrel, but forces him to accept a significant part of their agenda in return. At a minimum, roll back some of the Trump corp and high-income tax cuts to “pay for the wall”.

Oh, and explicitly fund the Mueller investigation to the end of the FY, so the new DoJ leadership doesn’t play games with their budget.

Stephen T. Stone (profile) says:

Re: Re:

I wish the Dems would pass a bill with a border wall, but

Everything after this assumes the Senate would pass the same bill and force Trump into making a decision. Since Mitch McConnell would probably rather die that put Trump in the path of a Sophie’s Choice like yours (and a could-be-successful override vote in the Senate if he chooses to veto), I doubt that would happen.

Anonymous Coward says:

Re: Re:

Nah that is bad form. It allows Trump/GOP to completely change the conversation and rightfully flip the argument so the Dems are trying to play politics with the budget. that they are being the stubborn ones by only accepting a bill with X additions. Everyone with half a brain sees the only stubborn one is Trump here. Adding in the political wishlist for the Dems flips that argument.

Anonymous Coward says:

Re: Incompetence, not shutdown.

If that’s true, that makes one wonder if there isn’t a conspiracy to make it look worse than it is.

One would presume that it would have been noticed before the shutdown if it was expired… but it seems everyone noticed it after the shutdown started.

Was it reverted to the older cert after the shutdown?

PaulT (profile) says:

Re: Re: Incompetence, not shutdown.

“One would presume that it would have been noticed before the shutdown if it was expired”

Who says it wasn’t?

“but it seems everyone noticed it after the shutdown started.”

By “everybody” you mean Netcraft and by “after the shutdown started”, you mean “after the certificates expired” (most of which examined having expired after the shutdown).

“Was it reverted to the older cert after the shutdown?”

Occam’s razor does help with most such conspiracy theories. Which is more likely – relatively mundane repetitive tasks are simply not being done by a department which is shut down for the second time in the space of a year, or that people are deliberately reinstalling expired certificates in order to make it look like they’re more important than they are?

Glenn says:

Over the past 2 years Trump has proven he’s incapable of doing the job of POTUS. Now, he’s unwilling to even go through the motions. Since he refuses to work, he should just be fired.

Of course he’s a Russian agent. It’s been clear for some time that his goal is to ruin this country.

Just shut him down and put a wall around him–four walls actually… like a prison cell? (you know, for treason).

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...