.Gov Security Falters during US Shutdown

Discussion in '[H]ard|OCP Front Page News' started by Megalith, Jan 12, 2019 at 1:53 PM.

  1. Megalith

    Megalith 24-bit/48kHz Staff Member

    Messages:
    12,754
    Joined:
    Aug 20, 2006
    Many government websites have been rendered either insecure or inaccessible due to the federal shutdown. The root of the issue is expired TLS certificates; tech workers have been furloughed and are not around to renew them. While some of these sites are accessible due to the lack of HSTS (HTTP Strict Transport Security), which allows visitors to bypass their browsers’ security measures, this is not advised, as that opens up the potential for man-in-the-middle attacks.

    In a twist of fate, the usdoj.gov domain — and all of its subdomains — are included in Chromium's HSTS preload list. This is a prudent security measure which forces modern browsers to only use secure, encrypted protocols when accessing the US DoJ websites; however, it will also prevent users from visiting the HTTPS sites when an expired certificate is encountered. In these cases, modern browsers like Google Chrome and Mozilla Firefox deliberately hide the advanced option that would let the user bypass the warning and continue through to the site.
     
  2. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,133
    Joined:
    Mar 4, 2013
    Anyone know why the US Gov isn't its own Top Level CA? Why is the DOJ buying a certificate from Godaddy? Be a lot easier to renew if an agency didn't have to get spending authority to renew but instead just contacted the proper US Govt authority and asked for a renewal.

    On the other hand, looks like we will have a decent list of improperly configured US Govt websites by the time this thing gets resolved.
     
  3. Jim Kim

    Jim Kim 2[H]4U

    Messages:
    2,987
    Joined:
    May 24, 2012
    With approximately 195 countries spanning the globe, I can't foresee any problem with each one being a Top Level CA.
     
    dgz, lostin3d, Rebel44 and 3 others like this.
  4. Exavior

    Exavior [H]ardForum Junkie

    Messages:
    9,543
    Joined:
    Dec 13, 2005
    Given that this was known to be coming I wonder if they tried to renew any of this a week or two earlier? Given the time of the shutdown all of these would have been at less than 30 days from expiring when the shutdown happen. So it would have been known that they were on the very edge of their lifespan and should have been in the process of getting renewed.

    Improperly configured how? Certs expire so that isn't anything to do with how it was configured.
     
  5. g-money

    g-money Limp Gawd

    Messages:
    259
    Joined:
    Oct 7, 2008
    Bingo. What you're really asking here is, why don't they just issue their own certificates and not use any 3rd party? This would require computers across the globe to trust the US Government Top Level CA and the associates costs would also be pretty high. So for public facing things, it makes sense to use a 3rd party CA which a myriad parties can trust if they chose to do so (and which client computers generally already do trust, thus having a broad client base).

    All of this isn't to say that it hasn't been explored or tried already.....some informative reading: https://fpki.idmanagement.gov/ca/

    Cheers
     
  6. SolarisGuru

    SolarisGuru n00bie

    Messages:
    63
    Joined:
    Jul 9, 2016
    Why don't they have these configured to auto renew? Even my own little website auto renews certs.
     
  7. sfsuphysics

    sfsuphysics I don't get it

    Messages:
    13,496
    Joined:
    Jan 14, 2007
    Well you knew it was going to be that or "If Nancy Pelosi didn't..."
     
    auntjemima likes this.
  8. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,133
    Joined:
    Mar 4, 2013
    From the OP : "While some of these sites are accessible due to the lack of HSTS (HTTP Strict Transport Security), which allows visitors to bypass their browsers’ security measures, this is not advised, as that opens up the potential for man-in-the-middle attacks."

    A site with an expired Cert that lets folks perform business is IMO, improperly configured.
     
  9. Meeho

    Meeho [H]ardness Supreme

    Messages:
    4,177
    Joined:
    Aug 16, 2010
    Oh, no, not the government sites!
     
    cyclone3d likes this.
  10. TangledThornz

    TangledThornz Limp Gawd

    Messages:
    340
    Joined:
    Jun 12, 2018
    If you work for an organization 22,000,000,000,000 dollars in debt you're gonna have a bad time.
     
    Aioeyu and captaindiptoad like this.
  11. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,666
    Joined:
    Aug 16, 2004
  12. Retronym

    Retronym Something big is coming.

    Messages:
    10,429
    Joined:
    Mar 5, 2007
  13. DocNo

    DocNo Gawd

    Messages:
    572
    Joined:
    Apr 23, 2012
    Seems like more of an oversight than direct cause due to the shut down. Essential personnel are exempt and have to work and I guarantee you, whomever is in charge of cybersecurity is NOT furloughed right now. This probably would have happened even without the shutdown. Maybe it would have gotten fixed faster. Maybe not - stories of expired certs have happened for years if you just do some searching; this is nothing new in government - or other large private sector organizations (unfortunately).

    Of course what's different now is the "shutdown" o_O
     
    Last edited: Jan 13, 2019 at 2:57 PM
    FlawleZ likes this.
  14. JosiahBradley

    JosiahBradley [H]ard|Gawd

    Messages:
    1,694
    Joined:
    Mar 19, 2006
    Wait the government is shutdown? I didn't even notice. Street lights are still working. I can still buy groceries. Maybe it is time we rethought big government and our dependencies on it. (or lack thereof)
     
  15. umeng2002

    umeng2002 Gawd

    Messages:
    846
    Joined:
    May 23, 2008
    The government shut down has been going on for a few weeks now and I haven't noticed. Hopefully, it stays shut down.
     
    next-Jin and TangledThornz like this.
  16. Exavior

    Exavior [H]ardForum Junkie

    Messages:
    9,543
    Joined:
    Dec 13, 2005
    HSTS only makes sure that if yo go to something like say http://www.irs.gov (just using it as an example here) the site will redirect you to https://www.irs.gov. It does not make sure that the certificate if valid. Unless I am missing something here, but to the best of my knowledge all that setting does is force people to the secure version of the site. Even then if you look at going to the https:///www.irs.gov site with a expired cert, it is still just as secure as it was the day before. All you lose is the verification that you are using a valid cert. However the site still encrypts everything just as it did the day before and your browser still decrypts it. You just can't confirm anymore that the cert on https://www.irs.gov is really the one the government was issued. All that said, even with valid certs a server not redirecting you to the https version would be an issue and would not be forcing you to use the secure side. So I will give you that as being an improperly configured server but for a completely different reason. I could be wrong however but I don't think there is any way on the server side to shut a site down if your cert expires. The client side will just not want to connect to it. So letting a user continue passed a "this site may not be secure" screen and doing your business is what I would expect to be normal behavior as the html, php, aspx etc wouldn't know or care about the connection, only the content.

    It has taken a little it of time to start doing stuff the average public will notice. TSA and air traffic controllers haven't been paid in a few weeks so many are no longer showing up to work so flights are starting to be effected, with fewer agents they have fewer lines open which means longer wait times. So anyone that flies will notice. Parks have shut down, but if you don't travel to these you wouldn't notice. Government programs such as WIC, food stamps, welfare etc will be shutting down here in March, along with free school lunches. However unless you are a single mom or on the poorer side of things you won't notice that. Now the buying groceries comment might start to change here. Given that farmers are being impacted as result of some parts of the USDA being shut down this could result in higher prices, So you could find yourself getting less for your money here soon. FDA also has had to stop checking food and drugs and can only focus on more at risk items so you might start to get sick from eating more foods since they will no longer get tested. IRS also has been impacted and has closed down so if you file your taxes don't plan on getting a refund check very fast, as while this year they reversed their choice of not operating during a government shutdown when they can't pay their employees they still will not be working at 100%. You won't notice anything month one, it is month 2 - 3 that you start to notice things. Just like if you get fired from your job. You can probably keep your lights on for another month, still buy food, but after a few months that is when you start having creditors calling, have your car taken back....
     
  17. Ranulfo

    Ranulfo [H]ard|Gawd

    Messages:
    1,263
    Joined:
    Feb 9, 2006
    Oh no, the TSA will stop fondling people and stealing their luggage. How ever did we manage before without them?
     
  18. Exavior

    Exavior [H]ardForum Junkie

    Messages:
    9,543
    Joined:
    Dec 13, 2005
    It would be fine if they just pulled them all, removed the scanners and you could just walk to the gate. However instead you go from 5 - 10 security checkpoints to 1. That means that what might have been a 20 minute line before is now an hour or two. That also probably means that precheck is no longer a thing, so those people are having to now going from just walking through basically to now having to wait in the longer lines. Although that isn't as much of a problem as a tower only having 1/2 the people working so now they can only support 1/2 the number of aircraft. Although there is a simple solution for that. Hertz and enterprise can fix that for you right away, along with Grey hound and Amtrak.
     
  19. DocNo

    DocNo Gawd

    Messages:
    572
    Joined:
    Apr 23, 2012
    As much as I hate flying, if you are going coast to coast it's pretty dam convenient. Drove out from Vegas to DC this summer - three days and two nights of pretty hard driving vs. putting up with TSA and airline bullshit, getting on a nonstop flight and being done in 8 hours door to door.

    Sadly not much of a comparison :confused:
     
  20. Nobu

    Nobu 2[H]4U

    Messages:
    2,398
    Joined:
    Jun 7, 2007
    Yeah, in the first place we have states so that we don't have to rely on the federal government. There are still some things which require fed, but for the most part states are self sufficient. The exception being subsidies, taxes, federal regulating bodies and federal(!) welfare (state welfare will still function, though not as well if they had federal subsidies).