Data Driven Futures

US gov shutdown disrupts official site security

Written by Peter Walker
15/01/19

The US government shutdown has led to the website security certificates for agencies like NASA and the Department of Justice expiring, limiting some services and leaving them exposed to cyber attack.

The shutdown is already the longest in US history and shows no imminent signs of ending, as president Donald Trump holds out for concessions from the Democrats over his budget plans. It has so far affected around 800,000 federal staff, with roughly half of those having been placed on furlough.

Researchers at security firm Netcraft found dozens of expired security certificates on US government portals and remote access sites.

More than 80 TLS certificates used by .gov websites had expired and had not been renewed, with some of the sites being made all but inaccessible due to the expiration.

The Department of Justice’s site for instance, uses a certificate that expired on 17 December and is inaccessible due to its use of a strict policy that bars most browsers from loading the page if the certificate has expired.

The policy, called HSTS preloading, means that if a site’s certificate has expired, users see an error message when they try to access the site.

“While this behaviour is bound to frustrate some users, in this case, security is arguably better than usability,” stated Netcraft cyber security consultant Paul Mutton.

However, other US government sites lack correctly functioning HSTS policies and instead only display an interstitial warning that can easily be bypassed, risking man-in-the-middle attacks, effectively allowing an attacker to eavesdrop on the user’s communication with a site, potentially stealing sensitive data such as login credentials.

“As more and more certificates used by government websites inevitably expire over the following days, weeks - or maybe even months - there could be some realistic opportunities to undermine the security of all US citizens.”