Government Shutdown Means Government Website Security Certs Aren't Being Renewed

from the it's-the-little-things dept

With all the news about the ongoing government shutdown and the big messes it has caused, it's creating lots of little messes with potentially big impact as well. For example, scammers and robocallers have upped their game during the shutdown, knowing that (1) there's no one investigating these scams right now, and (2) as I discovered when I tried to report one, the FTC has literally shut down the web portal where you used to be able to submit complaints.

Another one, however, pointed out last week by Netcraft, is the fact that government website security certificates are expiring... and there's no one around to renew them:

Dozens of U.S. government websites have been rendered either insecure or inaccessible during the ongoing U.S. federal shutdown. These sites include sensitive government payment portals and remote access services, affecting the likes of NASA, the U.S. Department of Justice, and the Court of Appeals.

With around 400,000 federal employees currently furloughed, more than 80 TLS certificates used by .gov websites have so far expired without being renewed. To compound the situation, some of these abandoned websites can no longer be accessed due to strict security measures that were implemented long before the shutdown started.

As Netcraft notes, some of those sites you can't even get around the security warning, such as certain DOJ sites:

In a twist of fate, the usdoj.gov domain — and all of its subdomains — are included in Chromium's HSTS preload list. This is a prudent security measure which forces modern browsers to only use secure, encrypted protocols when accessing the U.S. DoJ websites; however, it will also prevent users from visiting the HTTPS sites when an expired certificate is encountered. In these cases, modern browsers like Google Chrome and Mozilla Firefox deliberately hide the advanced option that would let the user bypass the warning and continue through to the site.

There are some government websites that you can click through on, but as Netcraft notes, this could allow for man-in-the-middle attacks or other security risks:

This introduces some realistic security concerns, as task-oriented users are more likely to ignore these security warnings, and will therefore render themselves vulnerable to man-in-the-middle attacks.

If the shutdown continues for a while, this problem could get significantly worse. I know that Wall Street put pressure on the government to make certain IRS employees suddenly deemed "essential" to help Wall Street keep functioning smoothly, perhaps someone might want to deem the people renewing security certs similarly essential? Or, you know what, maybe just re-open the damn government.

Filed Under: encryption, government shutdown, https, security certificates, tls


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 14 Jan 2019 @ 12:29pm

    Or they could automate the renewal with thing like "lets encrypt"

    of course that would not solve all problems, but it would need less human intervention

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 14 Jan 2019 @ 12:55pm

      Re:

      I'd have to question whether that's even possible given the differences in registration requirements between .com and .gov.

      Either way, there are many examples of similar issues in the private sector, they're just normally not directly due to a spoiled toddler having a tantrum.

      reply to this | link to this | view in chronology ]

      • identicon
        Rocky, 14 Jan 2019 @ 2:17pm

        Re: Re:

        > Either way, there are many examples of similar issues in the private sector, they're just normally not directly due to a spoiled toddler having a tantrum.
        [citation needed]

        ..checks twitter...nvm...

        reply to this | link to this | view in chronology ]

    • identicon
      NoOne, 14 Jan 2019 @ 5:59pm

      Re: certificates

      Honestly, who has time to manually pull certs? There are quite a few scripts out there to do this from every provider for almost every type of cert.

      reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 15 Jan 2019 @ 12:51am

        Re: Re: certificates

        I'd imagine automation is something that's slow to be approved in the public sector. I wouldn't even be surprised if such a thing is explicitly prevented in order to allow for contract renegotiation, etc. or so as not to imply favouritism toward a specific supplier.

        Also, never underestimate the power of management who will favour an inferior solution due to a brand name or because they know a paid solution will give them an out when their incompetence is revealed.

        reply to this | link to this | view in chronology ]

        • identicon
          Cowardly Lion, 15 Jan 2019 @ 1:21am

          Re: Re: Re: certificates

          I'd imagine automation is something that's slow to be approved in the public sector.

          Not just slow, but likely to never happen. The UK gov sites we admin are managed by an elaborate paper driven procedure agreed when Edward was on the throne. It's triggered by an internal Business Team that asks the Technical Team to generate their certificate request files, upon which they then obtain the necessary certs from the providers. Once obtained, they hand them over to an internal Security Team, who audit/vet them before handing them to the Technical Team for implementation. And that's the simple version; there are other internal/external Business Units and external Security Teams in the loop.

          2 weeks minimum. It's like 'Yes Minister', on steroids.

          reply to this | link to this | view in chronology ]

          • icon
            PaulT (profile), 15 Jan 2019 @ 1:56am

            Re: Re: Re: Re: certificates

            That's what I imagined. I've never really worked in the public sector, but I've seen the bureaucracy in some larger corporate environments in action and have seen no reason to assume that government work would be more streamlined.

            Hopefully some thinking people in the US will take this as a warning, though - if something as predictable and easily automated as certificate renewal is failing, just imagine what else is getting ready to collapse.

            reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jan 2019 @ 12:31pm

    I'm all for re-opening the damn government.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jan 2019 @ 12:34pm

      Re:

      The longer it stays shut down, the longer people have to realize that the benefits of having it don't outweigh the negatives. They will reopen before too long or else find themselves replaces with a working one.

      reply to this | link to this | view in chronology ]

      • icon
        Stephen T. Stone (profile), 14 Jan 2019 @ 12:54pm

        Re: Re:

        The longer it stays shut down, the longer people have to realize that the benefits of having it don't outweigh the negatives.

        I would love to believe this is true, but the people who probably should be learning this lesson are likely people who voted into office the man responsible for the shutdown.

        reply to this | link to this | view in chronology ]

        • icon
          PaulT (profile), 14 Jan 2019 @ 12:59pm

          Re: Re: Re:

          The way this cycle goes is that the people who have just been voted in get blamed for not fixing the damage quickly enough, rather than the people who burned it to the ground in the first place. It's a sad truth, but sadly a truth.

          reply to this | link to this | view in chronology ]

          • identicon
            Paul Brinker, 14 Jan 2019 @ 1:20pm

            Re: Re: Re: Re:

            Given the problem is from before the new House took hold, and Trump is simply not negotiating nor putting someone in charge of negotiating, this is simply China Tariffs 2.0 and most people do know who caused the problem.

            reply to this | link to this | view in chronology ]

            • icon
              Thad (profile), 14 Jan 2019 @ 2:03pm

              Re: Re: Re: Re: Re:

              I think his saying, out loud and in front of cameras, that he would take the blame for the shutdown may have played a role too.

              reply to this | link to this | view in chronology ]

              • icon
                Gary (profile), 14 Jan 2019 @ 4:06pm

                Re: Re: Re: Re: Re: Re: Blame

                He also said - quite loudly when someone else was in office, that only the president can be blamed for a shutdown.

                Also: Wall = silliness. Press releases about it = lies and misstatements. Something thinking people fact-check everytime he opens his lie-hole.

                reply to this | link to this | view in chronology ]

      • icon
        Thad (profile), 14 Jan 2019 @ 1:09pm

        Re: Re:

        How's that paint tasting, Chip?

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jan 2019 @ 12:35pm

      Re:

      Seconded.

      reply to this | link to this | view in chronology ]

  • identicon
    norahc, 14 Jan 2019 @ 12:33pm

    Too bad it's not affecting Trump's Twitter account too.

    reply to this | link to this | view in chronology ]

  • identicon
    Lawrence D’Oliveiro, 14 Jan 2019 @ 12:49pm

    Government Actually Gets Things Done -- Who Knew?

    Isn’t there a certain class of USian who regularly claims that Government never gets things right and always gets in the way?

    Yet here you are, take away the Government for just a few days, and suddenly everybody starts to miss it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jan 2019 @ 2:31pm

      Re: Government Actually Gets Things Done -- Who Knew?

      By "everybody" I think you mean "government employees who have been furloughed and a small handful of others". The rest of us haven't really noticed a difference. In fact, it seems to me that the government could shut down every year for all but maybe a couple weeks out of the year and we'd all get to pay less in taxes.

      At least there is no new terrible legislation going through right now.

      reply to this | link to this | view in chronology ]

      • identicon
        bob, 14 Jan 2019 @ 2:44pm

        Re: Re: Government Actually Gets Things Done -- Who Knew?

        You may not notice anything yet but the problem is as this continues you will come to wish the government did operate. Also that the damage to the country will become more permanent.

        Yes there are things that can be trimmed from current operations. The problem with a shutdown is that it is like using a chainsaw instead of a scalpel when doing the trimming. You end up losing a lot more than just fat and the opening won't heal correctly either.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Jan 2019 @ 3:07pm

        Re: Re: Government Actually Gets Things Done -- Who Knew?

        >At least there is no new terrible legislation going through right now.

        What reality are you living in. Congress is still functioning, as is the white house. Its just the people to do the work to implement the laws who are furloughed.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 14 Jan 2019 @ 3:14pm

          Re: Re: Re: Government Actually Gets Things Done -- Who Knew?

          "functioning" is being a bit (ok, a lot) generous. They may still receive paychecks but spending too much time doing anything other than trying to find a way to end the shutdown would be a terrible PR move.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 14 Jan 2019 @ 4:43pm

            Re: Re: Re: Re: Government Actually Gets Things Done -- Who Knew

            "functioning" is being a bit (ok, a lot) generous

            So no change from before the shutdown then.

            reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Jan 2019 @ 3:42pm

        Re: Re: Government Actually Gets Things Done -- Who Knew?

        I like how you have the audacity to speak for some 327 million people. Makes me think your balls are much, much bigger than your brains.

        reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 15 Jan 2019 @ 12:25am

        Re: Re: Government Actually Gets Things Done -- Who Knew?

        "The rest of us haven't really noticed a difference"

        Oh, but you will. I'm sorry to see that you're so incapable of critical thinking that you have to wait for the damage to hit you personally, rather than take easy preventative measures to stop it from happening.

        "we'd all get to pay less in taxes."

        Yet, you apparently support something that's guaranteed to cost you billions, at minimum. Strange.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jan 2019 @ 12:55pm

    I've been enjoying this government shutdown. Like the national parks having the gates left open and forgoing the $35 entrance fee, free camping, etc. (though by now trash may be getting oppressive) Unlike the Obama shutdown, which went out of its way to force shut everything on federal lands from parks to bike trails to major highways.

    But it makes no sense why the can't government do any labor-shifting, in much the same way that companies routinely handle strikes by sending the executives and engineers to work the assembly lines? The vast majority of the federal government does not do anything that's essential on a daily basis, and the fully-funded parts, such as the military, could easily switch to other duties.

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 14 Jan 2019 @ 1:03pm

      Re:

      "the fully-funded parts, such as the military, could easily switch to other duties."

      I don't know what's more sad. The fact that you freely admit that the insane amount of money that you spend on your military would be better spent elsewhere. Or, the fact that you believe that your government doesn't hire anyone with any actual professional knowledge or experience since they're so easily replaced.

      reply to this | link to this | view in chronology ]

    • icon
      Stephen T. Stone (profile), 14 Jan 2019 @ 1:15pm

      Re:

      I've been enjoying this government shutdown. Like the national parks having the gates left open and forgoing the $35 entrance fee, free camping, etc.

      I wonder if you’re also a fan of all the vandalism, too.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jan 2019 @ 1:20pm

      Re:

      Who let the dinosaurs out?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jan 2019 @ 1:24pm

      Re:

      I don't know about you, but I'm terrified that more government workers aren't classified as essential. Safety inspectors for the FAA are currently furloughed. That means inspections just aren't happening. Think about that for a minute. Hell, I'm glad I'm not an airline investor. Between the lack of inspections and the lack of pay for air traffic controllers this shutdown is turning air travel into the worst game of Russian roulette ever. Then again if there is a crash that can be traced to the shutdown as the root cause maybe the airlines will soon be wealthy if they can sue the government for negligence.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Jan 2019 @ 2:35pm

        Re: Re:

        The inspectors verify that the airlines have done their jobs. If the airlines can blame-shift their negligence onto the inspectors because they didn't do the inspection it will be a sad day for us all.

        Blame where it's due. In software we don't blame our Quality Assurance people when they fail to catch a bug written by Engineering. We praise them when they do but Engineering is at fault for bugs. Always. No difference in other industries.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 14 Jan 2019 @ 6:34pm

          Re: Re: Re:

          In software we don't blame our Quality Assurance people when they fail to catch a bug written by Engineering.

          This is how we can tell you're lying.

          reply to this | link to this | view in chronology ]

        • icon
          PaulT (profile), 15 Jan 2019 @ 12:32am

          Re: Re: Re:

          "If the airlines can blame-shift their negligence onto the inspectors because they didn't do the inspection it will be a sad day for us all."

          Yet, that's what they'll do. Quite often, these things are there because companies cut corners to save money. Plenty of middle management types spend their days raging at people who won't let them put margins over and above peoples' safety, because they always believe they know better and the precautions are not necessary.

          Now they can take shortcuts *and* blame the lack of oversight when problems aren't caught - and you think this won't happen?

          "In software we don't blame our Quality Assurance people when they fail to catch a bug written by Engineering"

          I somehow doubt you've ever worked in industry, certainly not for a larger corporate entity.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jan 2019 @ 1:36pm

      Re:

      The vast majority of the federal government does not do anything that's essential on a daily basis

      Please. Oh PLEASE give me an example. This is your libertarian wet dream. A society without a government telling you what to do. I am giving you the power. Who do you behead to never return? Oh please tell me oh wise one who never needs to see a paycheck again? Please tell me what services are not important enough.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Jan 2019 @ 1:56pm

        Re: Re:

        "Please. Oh PLEASE give me an example."

        Just to name one, HUD, the Department of Housing and Urban Development, would be high on my list of "federal agencies that are not just useless, but counter-productive."

        Much of the gargantuan federal government is basically a "workfare" program for minorities. Perhaps it served a real need back in the 1960s when Johnson's "Great Society" programs were born, but today serves as a lingering remnant of the kind of socialism that even hardline socialist countries abandoned.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Jan 2019 @ 2:37pm

        Re: Re:

        This is your libertarian wet dream.

        It's also a dream of the Republicans who favor smaller government. At least in theory.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jan 2019 @ 3:45pm

      Re:

      That’s a real nice butbutbutObama you got there bro. Also you’ve obviously never been in a strike or have the remotest clue how a business runs during one.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jan 2019 @ 8:22pm

      Re:

      You know I wouldn’t let a doctor work on my car and I sure as shit wouldn’t want a GI inspecting my food or trying to monitor air quality or hell, being a project manager at the VA. I don’t know what fantasy world you live in where mid level managers know how to drop an engine block into a car or demolitions expert can run IRS tax software.

      reply to this | link to this | view in chronology ]

    • icon
      Wendy Cockcroft (profile), 15 Jan 2019 @ 5:44am

      Re:

      https://en.wikipedia.org/wiki/United_States_federal_government_shutdown_of_2013

      That was the GOP's fault; the idea was to derail the Affordable Care Act.

      reply to this | link to this | view in chronology ]

  • identicon
    Bruce C., 14 Jan 2019 @ 1:23pm

    For all you know they may be doing some labor-shifting, but the upper level appointees are probably bogged down doing the lower level work that's required for them to do their executive work. Manning the entry booth at a national park doesn't qualify.

    There's probably also some civil service regulations to prevent Civil Service work being done by appointees. Otherwise it would be too easy to terminate employees for political reasons.

    I wish the Dems would pass a bill with a border wall, but also with everything from Student Loan forgiveness to DACA and other immigration reforms. Give Pres. Trump a choice: either a clean bill with no wall, or a bill that funds his symbolic pork-barrel, but forces him to accept a significant part of their agenda in return. At a minimum, roll back some of the Trump corp and high-income tax cuts to "pay for the wall".

    Oh, and explicitly fund the Mueller investigation to the end of the FY, so the new DoJ leadership doesn't play games with their budget.

    reply to this | link to this | view in chronology ]

    • icon
      Stephen T. Stone (profile), 14 Jan 2019 @ 1:31pm

      Re:

      I wish the Dems would pass a bill with a border wall, but

      Everything after this assumes the Senate would pass the same bill and force Trump into making a decision. Since Mitch McConnell would probably rather die that put Trump in the path of a Sophie’s Choice like yours (and a could-be-successful override vote in the Senate if he chooses to veto), I doubt that would happen.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jan 2019 @ 1:40pm

      Re:

      Nah that is bad form. It allows Trump/GOP to completely change the conversation and rightfully flip the argument so the Dems are trying to play politics with the budget. that they are being the stubborn ones by only accepting a bill with X additions. Everyone with half a brain sees the only stubborn one is Trump here. Adding in the political wishlist for the Dems flips that argument.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jan 2019 @ 2:54pm

    Commentary

    Proposal: make all government functions non-essential.

    Prediction: threat of imminent collapse will galvanize unanimous response.

    Warning: response will have high likely-hood of unintended consequences.

    Optimism: UBI(universal basic income) utopia

    Pessimism: new dark age dictatorship

    reply to this | link to this | view in chronology ]

    • icon
      Wendy Cockcroft (profile), 15 Jan 2019 @ 5:46am

      Re: Commentary

      UBI would not result in Utopia. At all.

      What it would do is force the likes of me to pay more tax so the idle rich could have pocket money.

      reply to this | link to this | view in chronology ]

      • icon
        Thad (profile), 15 Jan 2019 @ 7:51am

        Re: Re: Commentary

        Perhaps, but the cost of means testing would exceed the benefits.

        I'm okay with paying more in taxes to make sure nobody starves. If that means pocket change for the idle rich, that's a price I'm willing to pay. Just as I don't mind paying for rich kids to go to public school, should their parents so choose.

        reply to this | link to this | view in chronology ]

  • identicon
    Whoever, 14 Jan 2019 @ 3:15pm

    Incompetence, not shutdown.

    The certificate for the example you show (ows2.usdoj.gov) expired on December 17, before the shutdown started.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jan 2019 @ 4:48pm

      Re: Incompetence, not shutdown.

      If that's true, that makes one wonder if there isn't a conspiracy to make it look worse than it is.

      One would presume that it would have been noticed *before* the shutdown if it was expired... but it seems everyone noticed it *after* the shutdown started.

      Was it reverted to the older cert after the shutdown?

      reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 15 Jan 2019 @ 3:26am

        Re: Re: Incompetence, not shutdown.

        "One would presume that it would have been noticed *before* the shutdown if it was expired"

        Who says it wasn't?

        "but it seems everyone noticed it *after* the shutdown started."

        By "everybody" you mean Netcraft and by "after the shutdown started", you mean "after the certificates expired" (most of which examined having expired after the shutdown).

        "Was it reverted to the older cert after the shutdown?"

        Occam's razor does help with most such conspiracy theories. Which is more likely - relatively mundane repetitive tasks are simply not being done by a department which is shut down for the second time in the space of a year, or that people are deliberately reinstalling expired certificates in order to make it look like they're more important than they are?

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Jan 2019 @ 2:57am

      Verified:

      The certificate expired on December 17, 2018, 6:34 PM. The current time is January 15, 2019, 10:56 AM. (my time zone is UTC+1)

      reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 15 Jan 2019 @ 3:14am

        Re:

        It's not quite as damning with that in mind, but pretending those dates mean the certificate expiry has nothing to do with the shutdown is probably just as disingenuous as saying there were no other factors.

        reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 15 Jan 2019 @ 3:18am

      Re: Incompetence, not shutdown.

      Well done, you located a date mentioned in the linked article. There are others mentioned, with more recent expiry dates.

      reply to this | link to this | view in chronology ]

  • identicon
    Glenn, 15 Jan 2019 @ 3:06am

    Over the past 2 years Trump has proven he's incapable of doing the job of POTUS. Now, he's unwilling to even go through the motions. Since he refuses to work, he should just be fired.

    Of course he's a Russian agent. It's been clear for some time that his goal is to ruin this country.

    Just shut him down and put a wall around him--four walls actually... like a prison cell? (you know, for treason).

    reply to this | link to this | view in chronology ]

    • icon
      Toom1275 (profile), 15 Jan 2019 @ 8:30am

      Re:

      Your first point is inaccurate.

      Trump proved his complete incompetence at presidenting beyond all reasonable doubt long before his election. The two years after have merely been putting adamantine reinforcement on it.

      reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 15 Jan 2019 @ 8:51am

        Re: Re:

        He promised to run the government like one of his businesses. Those who voted for him just didn't bother to do the research to see that the way he did that was by running them into bankruptcy and stiffing contractors.

        reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.