Over 80 TLS certificates used by U.S. governments websites have expired and have not been renewed, leaving dozens of official websites vulnerable or inaccessible, according to ZDNet report.
Affected websites include the U.S. Department of Justice, the Court of Appeals, and Nasa.
The TLS certificates have expired due to the current U.S. federal governments shutdown caused by U.S President Donald Trump’s refusal to sign a bill that does not include funding for his U.S-Mexico border wall.
This has resulted in 400,000 staff being furloughed across departments. Several staff members, including staff handling IT support and cybersecurity, haven’t been paid to maintain the.gov websites.
As a result, security certificates haven’t been renewed and are leaving websites vulnerable.
Websites with digital certificates are used to encrypt online data communications between an end user’s browser and websites. But, when issued, they may only last for a couple month or several years.
Government websites with expired certificates that fail to implement HSTS show an HTTPs error in user’s web browsers, but this error can be bypassed to access the site via HTTP.
Due to the expired certificates, would-be visitors have been advised not to log in or use the governments websites, as traffic and authentication credentials aren’t encrypted and could be intercepted by cyber threat actors.
Dangers of expired TLS certificates
“Until U.S. Congress resumes services it is inevitable that we will see expired certificates and this example just goes to show how vulnerable organisations who are susceptible to shutdown can be,” said GlobalSign’s Managing Director, Paul Tourret.
“As more and more certificates used by government websites inevitably expire over the following days, weeks – or maybe even months – there could be some real opportunities to undermine the security of all U.S. citizens,” according to Netcraft’s Paul Mutton who discovered the expired.gov TLS certificates and the issues they’re causing.
Commenting on the expired TLS certificates, web security company High-Tech Bridge’s CEO Ilia Kolochenko, said: “I think the biggest risk is far beyond expired SSL certificates. How many critical governmental systems are currently unmaintained, outdated and thus vulnerable? It seems to be a great opportunity for nation-state hacking groups to exploit US momentary weakness to steal or alter extremely sensitive information.
“The situation also points to a continuity plan that is poorly implemented in some federal agencies: critical cybersecurity tasks and processes have to be maintained even if financing is temporarily paused. Otherwise, the entire model of governmental cybersecurity is questionable and people may reasonably inquire where do their taxes go.”