SSL, TLS Certificates Expiring on US Government Sites During Federal Shutdown
The short- and long-term impacts of the U.S. Federal Government shutdown have been well documented during the last month. Government employees aren’t receiving paychecks. National parks are being vandalized. Air travel could soon been at risk.
But as the shutdown carries on, the trust and security of the government’s online presence is eroding, too. Many government sites aren’t being updated, support and communication is unavailable, and some are completely inaccessible to visitors. And across a handful of government sites (e.g., .gov domains), SSL and TLS digital certificates are beginning to expire.
According to ZDNet, more than 80 TLS certificates have expired across dozens of government sites. The government employees who typically manage these sites simply aren’t working, so basic management tasks, including certificate renewal, are causing widespread accessibility and security issues.
Digital certificates are the backbone of online digital trust. This is particularly critical for the government’s online presence — not just for peace of mind, but to help ensure critical sites, tools and services aren’t compromised during the shutdown.
A note on the U.S. Department of Homeland Security alerts visitors to lack of funding and management.
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) certificates are the encryption standards used to protect data-in-motion sent over the public internet. SSL/TLS secures a growing amount of enterprise traffic and makes up the majority of network traffic in some verticals, including the government. According to SonicWall data, nearly 75 percent of all traffic is now encrypted.
Expired certificates are annoying to the end user, but there can be serious security ramifications. So much so, some sites have implemented HSTS (HTTP Strict Transport Security) per guidelines from the National Institute of Standards and Technology (NIST) to protect against downgrade attacks.
For example, Firefox and Chrome browsers use the HSTS protocol. In this scenario, if a site also uses HTTP, users can’t access the site with an expired certificate. The ramifications of expired certificates are broad, but typical user experiences include:
- Inability to access a site
- Warnings that the connection and data aren’t safe
- If warnings are bypassed, data may be transmitted unencrypted (i.e., in the clear)
- End-users begin to train themselves to ignore these warnings in the future
Message shown by the Chrome browser on a subdomain for a U.S. government site with an expired certificate.
For users who receive certificate alerts or warnings, SonicWall recommends they do not bypass errors during the U.S. government shutdown; if you do proceed know that data is likely unencrypted and at risk. Enterprises should have consistent and established best practices in place for certificate management, which will identify certificates nearing renewal and ensure they’re renewed in a timely fashion.
White Paper: Understanding Encrypted Threats
SSL/TLS and HTTPS encryption technology offers protection against hacking and its use is growing exponentially. But cybercriminals have learned to leverage encryption as an effective method to hide malware, ransomware, spear-phishing, zero-day, data exfiltration, rogue sites and other attacks. Fortunately, advanced network security with deep packet inspection of SSL/TLS and HTTPS traffic is now available to protect against encrypted threats.