US Government Shutdown Disrupts Security On .Gov Sites

Researchers have found dozens of expired security certificates on US government websites, many affecting sensitive services.

The expired certificates, which security firm Netcraft said had probably not been renewed due to the ongoing partial US government shutdown, make some services difficult to access, while in other cases they may expose users to risks.

The sites affected include government payment portals and remote access services used by organisations including NASA, the Department of Justice and the Court of Appeals.

The shutdown, the longest in US history, occurred due to conflict over approving the government’s budget.  It has affected around 800,000 federal staff, with roughly half of those having been placed on furlough.

Image credit: Netcraft

Sites blocked

Netcraft found that more than 80 TLS certificates used by .gov websites had expired and had not been renewed, with some of the sites being made all but inaccessible due to the expiration.

One site used by the Department of Justice, for instance, uses a certificate that expired on 17 December of last year, is inaccessible due to its use of a strict policy that bars most browsers from loading the page if the certificate has expired.

The policy, called HSTS preloading, means that if a site’s certificate has expired, users see an error message when they try to access the site.

The error message can be bypassed using advanced settings, but those are deliberately made difficult to spot, Netcraft said.

“While this behaviour is bound to frustrate some users, in this case, security is arguably better than usability,” said Netcraft’s Paul Mutton in an advisory.

Image credit: Netcraft

Insecure login

Other US government sites lack correctly functioning HSTS policies and instead only display an interstitial warning that can easily be bypassed, Mutton said.

Those sites may present security concerns, since many users are likely to access them without a working security certificate.

That can expose them to risks such as man-in-the-middle attacks, Mutton said. Such attacks effectively allow an attacker to eavesdrop on the user’s communication with a site, potentially stealing sensitive data such as login credentials.

Netcraft found that one Berkeley Lab government website, for instance, presented a login form with an expired certificate.

“As there is no effective HSTS policy, users can ignore the browser’s warnings and proceed to the login form,” Mutton wrote.

He said the government shutdown is likely to mean more ongoing security risks.

“As more and more certificates used by government websites inevitably expire over the following days, weeks — or maybe even months — there could be some realistic opportunities to undermine the security of all U.S. citizens,” Mutton wrote.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

22 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

23 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

24 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago