US Government Websites Stop Working After TLS Certificates Expire
- This comes after the US federal government shutdown partially in December 2018.
- TLS certificates of these sites are still pending for renewal despite the looming cyber threats.
Earlier today, Netcraft, a security services company reported that many government (.gov) domain websites were down as a result of the sites’ TLS expiration. More than 80 TLS certificates have elapsed their validity including that of sites belonging to NASA, Department of Justice among others. Some instances even show browsers displaying a warning message when these sites are tried to access.
The ongoing federal government shutdown is attributed to be one of the reasons for this crisis. Consequently, thousands of federal employees (in IT support) are on leave of absence, which is why the sites are currently not servicing any new requests.
To make it worse, TLS certificates are still not renewed leaving these sites vulnerable to attacks. Meanwhile, the web browsers are alerting users with warnings about the security risk due to the expired certificates on these websites.
Browsers playing a big role
Netcraft also mentioned how browsers are critical to averting cyber threats. “The usdoj.gov domain — and all of its subdomains — are included in Chromium's HSTS preload list. This is a prudent security measure which forces modern browsers to only use secure, encrypted protocols when accessing the U.S. DoJ websites; however, it will also prevent users from visiting the HTTPS sites when an expired certificate is encountered. In these cases, modern browsers like Google Chrome and Mozilla Firefox deliberately hide the advanced option that would let the user bypass the warning and continue through to the site.”
While visiting and browsing the content on the site is alright, users should be aware that the government websites are not actively managed due to lack of employees for processing requests or updating the information present on the government websites.
Hence, security companies advise users to not provide any sensitive information such as passwords and other details that can compromise their privacy since they are susceptible to fall in the hands of threat actors.