Connect with us

Hi, what are you looking for?



TLS Certificates for Many .gov Domains Not Renewed Due to Government Shutdown

Many TLS certificates for .gov domains have not been renewed due to the ongoing shutdown of the United States government, making them insecure or inaccessible.

Many TLS certificates for .gov domains have not been renewed due to the ongoing shutdown of the United States government, making them insecure or inaccessible.

A standoff between U.S. President Donald Trump and the country’s Democratic Party over the controversial Mexico border wall has led to a partial government shutdown. The shutdown started on December 22 and it has entered its 20th day.

As a result, some government services, including ones related to cybersecurity, such as NIST’s Computer Security Resource Center (CSRC), are unavailable until further notice. According to Netcraft, the shutdown has also led to over 80 TLS certificates for .gov domains expiring without being renewed.

The expired certificates are for domains belong to organizations such as NASA, the Department of Justice, the Court of Appeals, and the Lawrence Berkeley National Laboratory.

For example, the HTTPS certificate for expired on December 17, just days before the shutdown, and it has not been renewed. When users try to access the website, they are presented with a warning that their connection is not secure due to the use of an invalid certificate.

Since domains are on the HTTPS Strict Transport Security (HSTS) preload list, web browsers such as Chrome, Safari, Firefox, Edge, Internet Explorer and Opera prevent users from accessing them if their certificate has expired.

Websites that are not on the HSTS list can normally still be accessed by users as the browser’s “advanced” menu allows them to add an exception even if the security certificate is invalid. However, this option is not available for HSTS domains.

Advertisement. Scroll to continue reading.

Certificate expired on Justice Department domain - via Netcraft

“Most of the affected sites will display an interstitial security warning that the user will be able to bypass,” explained Netcraft’s Paul Mutton. “This introduces some realistic security concerns, as task-oriented users are more likely to ignore these security warnings, and will therefore render themselves vulnerable to man-in-the-middle attacks.”

As an example of websites on which the security warning can be bypassed, Mutton provided, for which the certificate expired on January 5, and, for which the certificate expired on January 8.

“As more and more certificates used by government websites inevitably expire over the following days, weeks — or maybe even months — there could be some realistic opportunities to undermine the security of all U.S. citizens,” Mutton said.

Related: Security of U.S. Government Sites Improved Only Slightly

Related: Many Federal Agencies Fail to Meet DMARC Implementation Deadline

Related: DMARC Use is Growing, But Difficult to Configure Correctly and Completely

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...