Following a partial U.S. government shutdown caused by a deadlock on the issue of the Mexican border wall between the Democratic Party and Donald Trump, tens of government websites can no longer be accessed or have been marked as using insecure connections because their TLS certificates have not been renewed.
The websites of the U.S. Department of Justice, NASA, and the Court of Appeals are some of the ones hit by the government’s failure to extend around 80 TLS certificates used on .gov domains.
.gov websites with expired certificates on the HSTS preload list now inaccessible
One of the websites affected by this mishap is Department of Justice’s https://ows2.usdoj.gov/, which displays an error message warning visitors that the connection is not private or secure, depending on the used web browsers.
To make things worse, because ows2.usdoj.gov is also on Chromium’s HTTP Strict Transport Security (HSTS) preload list, the website will not be accessible given that both Google Chrome and Mozilla Firefox will automatically hide the button allowing users to temporarily ignore the warning and open the website.
Furthermore, seeing that most other web browsers also use their own HSTS preload lists based on the Chrome one, there is nothing users can do to load the .gov websites temporarily broken by the expired TLS certificates.
The government sites not on the HSTS preload list will open after users click on the ‘Advanced” button at the end of the warning and choose to proceed, but there are risks involved in doing that.
Expired certificates increase the risk of fraud and identity theft
According to GlobalSign, people who still choose to use websites with expired TLS certificates are exposed to:
Personal information at risk from man-in-the-middle attacks
Individual susceptible to fraud and identity theft
“Until US Congress resumes services it is inevitable that we will see expired certificates and this example just goes to show how vulnerable organizations who are susceptible to shutdown can be” said GlobalSign’s Managing Director, Paul Tourret.
“As more and more certificates used by government websites inevitably expire over the following days, weeks — or maybe even months — there could be some realistic opportunities to undermine the security of all U.S. citizens,” according to Netcraft’s Paul Mutton who discovered the expired .gov TLS certificates and the issues they’re causing.
Update: Removed the “insecure” term from the title to avoid confusion.