Shutdown hits government websites as certificates begin to expire

The US government shutdown is affecting more than just physical sites like national parks and monuments. Now, government websites are shutting down as their TLS certificates expire, according to internet security and statistics company Netcraft. In an online post, the company says that more than 80 websites using the .gov domain have been made insecure or inaccessible thanks to expired certificates.

TLS certificates are used by websites communicating over encrypted, HTTPS connections. A certificate is used to sign a website’s public encryption key, which ensures that your communication with that website is private and secure: you know which site you’re talking to, and that nobody else is listening in.

The website’s certificate is itself signed for by a CA (Certificate Authority) that your browser trusts. Site owners have to renew their certificates every so often, to prove that they’re still the legitimate owners of the site’s encryption keys.

If you visit a site with an expired certificate then your browser will notice and issue a strong warning.

The US government isn’t doing anything deemed nonessential under the current shutdown, and that seems to include renewing TLS certificates. As they expire, sites are beginning to throw expired certificate warnings, and in many cases become unavailable altogether.

One example is NASA’s rocket testing site at https://rockettest.nasa.gov, which throws what’s called an interstitial warning. This means that the certificate has expired, but the browser gives you the option to ignore the warning and visit the website anyway at your own risk. Another site taking this approach to its expired certificate is https://ecf-test.ca6.uscourts.gov, a site used by the US Court of Appeals.

Some sites don’t allow visitors to click past certificate warnings at all, thanks to their inclusion on the HSTS (HTTP Strict Transport Security) preload list. This is a list of sites, maintained by most browser vendors, that can only be visited over HTTPS and have prohibited click-throughs should their domains expire.

Many sites often include themselves on the HSTS Preload list as a failsafe. The argument is that it’s better to block visits altogether in the event of an expired certificate rather than to risk having your communications with the site being intercepted or diverted.

For example, the certificate for the Department of Justice website https://ows2.usdoj.gov expired on 5 January, meaning that it throws a certificate warning when people try to visit it. Because it includes itself on the HSTS preload list, visitors don’t get the chance to click past the warning and see the site.

How bad could things get for the US government’s web presence? It’s possible that more government site certificates will expire if things continue, but some might be set to auto-renew, meaning that their certificates are updated before they expire.

Could things get worse as government domains themselves – which also have to be renewed – expire? Perhaps, although it’s worth noting that .gov domains can only be registered by authorized departments via the US Government’s DotGov organization. This makes it far less likely that some online crook somewhere could begin buying them and impersonating government departments online.

Having said that, manipulating search results is likely to be a lot easier for attackers if government websites shut down completely. It will be easier to increase the ranking for a fake site with the same name as a government site if search engines can no longer reach the real site.

The other worry facing government website users is that they may stay available, but not be updated. While still technically accessible online, several sites have explained that they will not be maintained during the shutdown: https://www.data.gov, https://www.selectusa.gov, https://www.nist.gov, and https://www.iat.gov are among them.

The takeaway? Be wary when visiting US government sites that display a certificate error. Just because a certificate warning allows you to click through to a site doesn’t mean that you should. Better safe than sorry.