As the U.S. federal shutdown continues, dozens of U.S. government websites have been rendered either insecure or inaccessible due to expired transport layer security (TLS) certificates that have not been renewed.
In fact, .gov websites are using more than 80 TLS certificates that have expired, according to a new Thursday report by Netcraft. That’s because funding for renewals has been paused. That opens the impacted sites to an array of cyber-attacks; most notably, man-in the-middle attacks, which allow bad actors to intercept exchanges between a user and a web application—either to eavesdrop or to impersonate the website and steal any data that the user may input.
Dozens of sites are impacted, which include sensitive government payment portals and remote access services for organizations like NASA, the U.S. Department of Justice and the Court of Appeals.
The security issue has raised alarms as the U.S. government continues to be crippled by a partial government shutdown, which as of Friday has been ongoing for 21 days. About 800,000 federal employees are furloughed or temporarily working without pay, and millions more government contractors have been told not to come to work.
“With Donald Trump seemingly unwilling to compromise on his demands for a wall along the border with Mexico, and Democrats refusing to approve a budget containing $5.7B for the wall, the hundreds of thousands of unpaid federal employees might not be the only ones hurting,” said Netcraft. “As more and more certificates used by government websites inevitably expire over the following days, weeks — or maybe even months — there could be some realistic opportunities to undermine the security of all U.S. citizens.”
One impacted U.S. website, belonging to the Department of Justice, uses a certificate that expired in the week leading up the shutdown. According to Netcraft, the certificate was signed by trusted certificate authority GoDaddy – but it has not been renewed since it expired on December 17.
Another, the .gov website for Berkeley Lab, expired on January 8 and has not yet been replaced.
The issue has sparked concerns in the infosec space about how the sensitive government websites can be abused – and what other security issues are raised due to the shutdown.
“How many critical governmental systems are currently unmaintained, outdated and thus vulnerable? It seems to be a great opportunity for nation-state hacking groups to exploit U.S.’ momentary weakness to steal or alter extremely sensitive information,” High-Tech Bridge’s CEO Ilia Kolochenko said in an email.
HSTS Policies
Luckily, certain security measures were implemented before the shutdown that protects some .gov websites from cyber-attacks when their certificates have expired – but the downside is that those protected websites can no longer be accessed.
The security measure puts certain usdoj.gov domains and any subdomains that are on Chromium’s HSTS preload list, which is a list of sites hard-coded into Chrome as being HTTPS only. This security measure prevents users from visiting the HTTPS sites when they have an expired certificate.
However, not all sites implement the HSTS policies, and “consequently, most of the affected sites will display an interstitial security warning that the user will be able to bypass,” Netcraft said. While that means that the websites can at least be accessed, “this introduces some realistic security concerns, as task-oriented users are more likely to ignore these security warnings, and will therefore render themselves vulnerable to man-in-the-middle attacks.”
Gov Shutdown’s Impact on Security
As the government shutdown continues, it has an array of impacts across the board when it comes to security.
Fortalice Solutions’ Theresa Payton, the former White House CIO, said that the shutdown has an array of implications for cybersecurity issues across the country, including short-staffing agencies that are working on cybersecurity, spooking cybersecurity professionals who might otherwise be interested in public service or government contracting, and interfering with timelines for contracts.
“Leaders and legislators on both sides of the aisle would do well to take an ‘all-of-the-above’ approach when it comes to this shutdown and our national security goals,” she told Threatpost.
Kolochenko meanwhile said that moving forward, an emergency plan needs to be developed to deal with continuing critical security measures even during a government shutdown.
“The situation… points to a continuity plan that is poorly implemented in some federal agencies: Critical cybersecurity tasks and processes have to be maintained even if financing is temporarily paused,” Kolochenko said. “Otherwise, the entire model of governmental cybersecurity is questionable, and people may reasonably inquire where do their taxes go.”