US Government Shutdown Disrupts Security On .Gov Sites

Researchers have found dozens of expired security certificates on US government websites, many affecting sensitive services.

The expired certificates, which security firm Netcraft said had probably not been renewed due to the ongoing partial US government shutdown, make some services difficult to access, while in other cases they may expose users to risks.

The sites affected include government payment portals and remote access services used by organisations including NASA, the Department of Justice and the Court of Appeals.

The shutdown, the longest in US history, occurred due to conflict over approving the government’s budget.  It has affected around 800,000 federal staff, with roughly half of those having been placed on furlough.

Image credit: Netcraft

Sites blocked

Netcraft found that more than 80 TLS certificates used by .gov websites had expired and had not been renewed, with some of the sites being made all but inaccessible due to the expiration.

One site used by the Department of Justice, for instance, uses a certificate that expired on 17 December of last year, is inaccessible due to its use of a strict policy that bars most browsers from loading the page if the certificate has expired.

The policy, called HSTS preloading, means that if a site’s certificate has expired, users see an error message when they try to access the site.

The error message can be bypassed using advanced settings, but those are deliberately made difficult to spot, Netcraft said.

“While this behaviour is bound to frustrate some users, in this case, security is arguably better than usability,” said Netcraft’s Paul Mutton in an advisory.

Image credit: Netcraft

Insecure login

Other US government sites lack correctly functioning HSTS policies and instead only display an interstitial warning that can easily be bypassed, Mutton said.

Those sites may present security concerns, since many users are likely to access them without a working security certificate.

That can expose them to risks such as man-in-the-middle attacks, Mutton said. Such attacks effectively allow an attacker to eavesdrop on the user’s communication with a site, potentially stealing sensitive data such as login credentials.

Netcraft found that one Berkeley Lab government website, for instance, presented a login form with an expired certificate.

“As there is no effective HSTS policy, users can ignore the browser’s warnings and proceed to the login form,” Mutton wrote.

He said the government shutdown is likely to mean more ongoing security risks.

“As more and more certificates used by government websites inevitably expire over the following days, weeks — or maybe even months — there could be some realistic opportunities to undermine the security of all U.S. citizens,” Mutton wrote.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Samsung Warns Striking Workers In India Of No Pay, Possible Termination

Industrial dispute of Samsung workers in India escalates, as tech giant warns of no pay…

11 hours ago

Ukraine Bans Telegram On State-Issued Devices

National security move. Ukraine reportedly bans Telegram on state-issued devices due to Russian security threat

14 hours ago

Brazil’s Judge Accuses X of ‘Willful’ Circumvention

X at risk of $900,000 daily fine, as Justice de Moraes calls out “willful, illegal…

14 hours ago

YouTube Confirms Ads When Screen Is Paused

Chasing the almighty dollar. Alphabet's YouTube reportedly confirms it is delivering adverts on a user's…

1 day ago