.Gov Security Falters during US Shutdown

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Many government websites have been rendered either insecure or inaccessible due to the federal shutdown. The root of the issue is expired TLS certificates; tech workers have been furloughed and are not around to renew them. While some of these sites are accessible due to the lack of HSTS (HTTP Strict Transport Security), which allows visitors to bypass their browsers’ security measures, this is not advised, as that opens up the potential for man-in-the-middle attacks.

In a twist of fate, the usdoj.gov domain — and all of its subdomains — are included in Chromium's HSTS preload list. This is a prudent security measure which forces modern browsers to only use secure, encrypted protocols when accessing the US DoJ websites; however, it will also prevent users from visiting the HTTPS sites when an expired certificate is encountered. In these cases, modern browsers like Google Chrome and Mozilla Firefox deliberately hide the advanced option that would let the user bypass the warning and continue through to the site.
 
Anyone know why the US Gov isn't its own Top Level CA? Why is the DOJ buying a certificate from Godaddy? Be a lot easier to renew if an agency didn't have to get spending authority to renew but instead just contacted the proper US Govt authority and asked for a renewal.

On the other hand, looks like we will have a decent list of improperly configured US Govt websites by the time this thing gets resolved.
 
Given that this was known to be coming I wonder if they tried to renew any of this a week or two earlier? Given the time of the shutdown all of these would have been at less than 30 days from expiring when the shutdown happen. So it would have been known that they were on the very edge of their lifespan and should have been in the process of getting renewed.

Dead Parrot said:
Anyone know why the US Gov isn't its own Top Level CA? Why is the DOJ buying a certificate from Godaddy? Be a lot easier to renew if an agency didn't have to get spending authority to renew but instead just contacted the proper US Govt authority and asked for a renewal.

On the other hand, looks like we will have a decent list of improperly configured US Govt websites by the time this thing gets resolved.
Click to expand...

Improperly configured how? Certs expire so that isn't anything to do with how it was configured.
 
Jim Kim said:
With approximately 195 countries spanning the globe, I can't foresee any problem with each one being a Top Level CA.
Click to expand...

Bingo. What you're really asking here is, why don't they just issue their own certificates and not use any 3rd party? This would require computers across the globe to trust the US Government Top Level CA and the associates costs would also be pretty high. So for public facing things, it makes sense to use a 3rd party CA which a myriad parties can trust if they chose to do so (and which client computers generally already do trust, thus having a broad client base).

All of this isn't to say that it hasn't been explored or tried already.....some informative reading: https://fpki.idmanagement.gov/ca/

Cheers
 
Exavior said:
. . .

Improperly configured how? Certs expire so that isn't anything to do with how it was configured.
Click to expand...

From the OP : "While some of these sites are accessible due to the lack of HSTS (HTTP Strict Transport Security), which allows visitors to bypass their browsers’ security measures, this is not advised, as that opens up the potential for man-in-the-middle attacks."

A site with an expired Cert that lets folks perform business is IMO, improperly configured.
 
Seems like more of an oversight than direct cause due to the shut down. Essential personnel are exempt and have to work and I guarantee you, whomever is in charge of cybersecurity is NOT furloughed right now. This probably would have happened even without the shutdown. Maybe it would have gotten fixed faster. Maybe not - stories of expired certs have happened for years if you just do some searching; this is nothing new in government - or other large private sector organizations (unfortunately).

Of course what's different now is the "shutdown" o_O
 
Last edited:
Dead Parrot said:
From the OP : "While some of these sites are accessible due to the lack of HSTS (HTTP Strict Transport Security), which allows visitors to bypass their browsers’ security measures, this is not advised, as that opens up the potential for man-in-the-middle attacks."

A site with an expired Cert that lets folks perform business is IMO, improperly configured.
Click to expand...

HSTS only makes sure that if yo go to something like say http://www.irs.gov (just using it as an example here) the site will redirect you to https://www.irs.gov. It does not make sure that the certificate if valid. Unless I am missing something here, but to the best of my knowledge all that setting does is force people to the secure version of the site. Even then if you look at going to the https:///www.irs.gov site with a expired cert, it is still just as secure as it was the day before. All you lose is the verification that you are using a valid cert. However the site still encrypts everything just as it did the day before and your browser still decrypts it. You just can't confirm anymore that the cert on https://www.irs.gov is really the one the government was issued. All that said, even with valid certs a server not redirecting you to the https version would be an issue and would not be forcing you to use the secure side. So I will give you that as being an improperly configured server but for a completely different reason. I could be wrong however but I don't think there is any way on the server side to shut a site down if your cert expires. The client side will just not want to connect to it. So letting a user continue passed a "this site may not be secure" screen and doing your business is what I would expect to be normal behavior as the html, php, aspx etc wouldn't know or care about the connection, only the content.

JosiahBradley said:
Wait the government is shutdown? I didn't even notice. Street lights are still working. I can still buy groceries. Maybe it is time we rethought big government and our dependencies on it. (or lack thereof)
Click to expand...

umeng2002 said:
The government shut down has been going on for a few weeks now and I haven't noticed. Hopefully, it stays shut down.
Click to expand...

It has taken a little it of time to start doing stuff the average public will notice. TSA and air traffic controllers haven't been paid in a few weeks so many are no longer showing up to work so flights are starting to be effected, with fewer agents they have fewer lines open which means longer wait times. So anyone that flies will notice. Parks have shut down, but if you don't travel to these you wouldn't notice. Government programs such as WIC, food stamps, welfare etc will be shutting down here in March, along with free school lunches. However unless you are a single mom or on the poorer side of things you won't notice that. Now the buying groceries comment might start to change here. Given that farmers are being impacted as result of some parts of the USDA being shut down this could result in higher prices, So you could find yourself getting less for your money here soon. FDA also has had to stop checking food and drugs and can only focus on more at risk items so you might start to get sick from eating more foods since they will no longer get tested. IRS also has been impacted and has closed down so if you file your taxes don't plan on getting a refund check very fast, as while this year they reversed their choice of not operating during a government shutdown when they can't pay their employees they still will not be working at 100%. You won't notice anything month one, it is month 2 - 3 that you start to notice things. Just like if you get fired from your job. You can probably keep your lights on for another month, still buy food, but after a few months that is when you start having creditors calling, have your car taken back....
 
Oh no, the TSA will stop fondling people and stealing their luggage. How ever did we manage before without them?
 
Ranulfo said:
Oh no, the TSA will stop fondling people and stealing their luggage. How ever did we manage before without them?
Click to expand...

It would be fine if they just pulled them all, removed the scanners and you could just walk to the gate. However instead you go from 5 - 10 security checkpoints to 1. That means that what might have been a 20 minute line before is now an hour or two. That also probably means that precheck is no longer a thing, so those people are having to now going from just walking through basically to now having to wait in the longer lines. Although that isn't as much of a problem as a tower only having 1/2 the people working so now they can only support 1/2 the number of aircraft. Although there is a simple solution for that. Hertz and enterprise can fix that for you right away, along with Grey hound and Amtrak.
 
Exavior said:
Although there is a simple solution for that. Hertz and enterprise can fix that for you right away, along with Grey hound and Amtrak.
Click to expand...

As much as I hate flying, if you are going coast to coast it's pretty dam convenient. Drove out from Vegas to DC this summer - three days and two nights of pretty hard driving vs. putting up with TSA and airline bullshit, getting on a nonstop flight and being done in 8 hours door to door.

Sadly not much of a comparison :confused:
 
Exavior said:
HSTS only makes sure that if yo go to something like say http://www.irs.gov (just using it as an example here) the site will redirect you to https://www.irs.gov. It does not make sure that the certificate if valid. Unless I am missing something here, but to the best of my knowledge all that setting does is force people to the secure version of the site. Even then if you look at going to the https:///www.irs.gov site with a expired cert, it is still just as secure as it was the day before. All you lose is the verification that you are using a valid cert. However the site still encrypts everything just as it did the day before and your browser still decrypts it. You just can't confirm anymore that the cert on https://www.irs.gov is really the one the government was issued. All that said, even with valid certs a server not redirecting you to the https version would be an issue and would not be forcing you to use the secure side. So I will give you that as being an improperly configured server but for a completely different reason. I could be wrong however but I don't think there is any way on the server side to shut a site down if your cert expires. The client side will just not want to connect to it. So letting a user continue passed a "this site may not be secure" screen and doing your business is what I would expect to be normal behavior as the html, php, aspx etc wouldn't know or care about the connection, only the content.





It has taken a little it of time to start doing stuff the average public will notice. TSA and air traffic controllers haven't been paid in a few weeks so many are no longer showing up to work so flights are starting to be effected, with fewer agents they have fewer lines open which means longer wait times. So anyone that flies will notice. Parks have shut down, but if you don't travel to these you wouldn't notice. Government programs such as WIC, food stamps, welfare etc will be shutting down here in March, along with free school lunches. However unless you are a single mom or on the poorer side of things you won't notice that. Now the buying groceries comment might start to change here. Given that farmers are being impacted as result of some parts of the USDA being shut down this could result in higher prices, So you could find yourself getting less for your money here soon. FDA also has had to stop checking food and drugs and can only focus on more at risk items so you might start to get sick from eating more foods since they will no longer get tested. IRS also has been impacted and has closed down so if you file your taxes don't plan on getting a refund check very fast, as while this year they reversed their choice of not operating during a government shutdown when they can't pay their employees they still will not be working at 100%. You won't notice anything month one, it is month 2 - 3 that you start to notice things. Just like if you get fired from your job. You can probably keep your lights on for another month, still buy food, but after a few months that is when you start having creditors calling, have your car taken back....
Click to expand...
Yeah, in the first place we have states so that we don't have to rely on the federal government. There are still some things which require fed, but for the most part states are self sufficient. The exception being subsidies, taxes, federal regulating bodies and federal(!) welfare (state welfare will still function, though not as well if they had federal subsidies).
 
You must log in or register to reply here.
Back
Top