Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

More .gov Domains Hit by Government Shutdown

The number of US government domains for which TLS certificates were left to expire due to the government shutdown has now exceeded 130, UK-based cybersecurity solutions provider Netcraft reported on Wednesday.

The number of US government domains for which TLS certificates were left to expire due to the government shutdown has now exceeded 130, UK-based cybersecurity solutions provider Netcraft reported on Wednesday.

A deadlock between President Donald Trump and the Democratic Party over funding for the controversial Mexico border wall has led to a partial government shutdown. The shutdown – the longest in US history – started on December 22 and it has entered its 26th day.

In addition to some online government services becoming unavailable – NIST’s Computer Security Resource Center (CSRC) is just one example – Netcraft revealed last week that agencies had failed to renew expired certificates for over 80 .gov domains, including ones belonging to NASA, the Department of Justice, the Court of Appeals, and the Lawrence Berkeley National Laboratory.

Allowing security certificates to expire not only makes websites inaccessible, it also makes them vulnerable to man-in-the-middle (MitM) attacks.

Netcraft says the number of impacted domains has now exceeded 130 and the list includes one belonging to the White House, pages.mail.whitehouse.gov, for which the certificate expired on January 15. Since this domain does not host any public services, the main problem is not that the address is inaccessible, rather that it could be leveraged by malicious actors in attacks aimed at White House staff.

Manufacturing.gov and manufacturingusa.com, which host information on manufacturing programs, have also become inaccessible due to their shared certificate expiring on January 14. However, it’s worth noting that the websites can still be accessed if “www” is added to the address.

Expired certificate for manufacturing.gov

Other domains whose certificates have expired since Netcraft’s initial report belong to the Federal Aviation Authority, the National Archives and Records Administration, the Federal Financial Institutions Examination Council, and the Department of Agriculture.

Some of the impacted domains are on the HTTPS Strict Transport Security (HSTS) preload list, which means that web browsers such as Chrome, Safari, Firefox, Edge, Internet Explorer and Opera prevent users from accessing them if their certificate has expired. Websites that are not on the HSTS list can still be accessed by users by adding an exception in the browser’s “advanced” menu.

“Expired TLS certificates do not directly expose data, but when users visit the pages, they will be presented with an interstitial warning that the certificate is not valid,” Tripwire researcher Craig Young told SecurityWeek. “If strict transport security is not enabled, the user is able to click through the warning and visit the site. Since users are being told to expect these warnings, it makes the perfect opportunity for an attacker to intercept connections using a fake TLS certificate. The error message may have different details, but most users will not recognize this.”

“National adversaries are uniquely positioned to exploit this as they may have access to manipulate BGP records or otherwise influence telecom operations at a low level to redirect victim connections. In the last year, we’ve also seen evidence indicating that Russia has been developing and spreading router malware dubbed VPNFilter. This type of router implant is perfect for surreptitiously hijacking HTTPS connections to US government web sites,” Young added.

Related:Security of U.S. Government Sites Improved Only Slightly

Related: Many Federal Agencies Fail to Meet DMARC Implementation Deadline

Related: DMARC Use is Growing, But Difficult to Configure Correctly and Completely

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.