With the highly publicised partial shutdown of the U.S. government, we are beginning to see dozens of U.S. government websites being rendered either insecure or completely inaccessible. Among them are sensitive government remote access services and payment portals, impacting the likes of the DoJ, NASA and the Court of Appeals.
An estimated 800,000 federal workers are currently unable to work and going without pay. 80+ TLS certificates in use on .gov websites are known to have expired without anyone to renew them. And to compound the situation, many of these abandoned websites have become inaccessible as strict security measures, implemented long before the shutdown was enforced, have been triggered.
One example of this is a website for the U.S. Department of Justice which uses a certificate that expired during the final week before the shutdown. The certificate is signed by a reputable certificate authority, but it expired on 17 December 2018 with no sign of renewal.
As it happens, the DoJ’s primary domain and every subdomain associated with it are to be found on Chromium’s HSTS preload list. Inclusion in the list is a potent security measure that forces all modern browsers to only grant access to fully secured, encrypted protocols when visiting the websites of the U.S. DoJ, but it also blocks users from visiting HTTPS sites if their certificate has expired. Consequently, browsers like Mozilla Firefox and Google Chrome remove the ‘advanced’ option that would enable users to overrule the warning and gain access to the site.
Working to protect the security of U.S. citizens
This behaviour will be frustrating for some users, but security is paramount. If users ignore the warnings, they could be exposed to certain types of cyber attack that TLS certificates were designed to combat. However, only a handful of the affected .gov sites actually implement functioning HSTS policies. Only a few appear in the preload HSTS list, and just a small percentage of the rest even attempt to set a policy through the Strict-Transport-Security HTTP header. And even these policies will only be obeyed when serving alongside a valid TLS certificate; if the user hasn’t visited the site before, they will not be effective.
The consequence is that the affected sites will display a security warning before they load, which the user could bypass. This brings some real security concerns into the equation, as many users will be determined to complete their task and will thus ignore the security warnings. This will render them vulnerable to attacks, and cybercriminals will be poised to take advantage of the situation.
As an example, this NASA website is not on the HSTS preload list, and its TLS certificate expired on 5 January. Users therefore encounter a security warning that they can choose to ignore. If they do this, and proceed to log into their account, their login details are exposed and they could be targeted by man-in-the-middle attacks.
A frustrating deadlock that keeps getting worse
It is becoming increasingly clear that President Trump will not compromise on his demands for a wall along the southern border of the United States, and Democrats are continuing to budge on their rejection of a budget that dedicates $5.7 billion for the wall. And the hundreds of thousands of federal employees who are going unpaid may not be the only people who suffer the consequences. As a growing number of the certificates the government websites use continue to expire over the coming days, weeks, and perhaps even months, there will be some unique opportunities for cybercriminals to undermine the security of unsuspecting U.S. citizens.