Government Shutdown Means Government Website Security Certs Aren't Being Renewed
from the it's-the-little-things dept
With all the news about the ongoing government shutdown and the big messes it has caused, it's creating lots of little messes with potentially big impact as well. For example, scammers and robocallers have upped their game during the shutdown, knowing that (1) there's no one investigating these scams right now, and (2) as I discovered when I tried to report one, the FTC has literally shut down the web portal where you used to be able to submit complaints.
Another one, however, pointed out last week by Netcraft, is the fact that government website security certificates are expiring... and there's no one around to renew them:
Dozens of U.S. government websites have been rendered either insecure or inaccessible during the ongoing U.S. federal shutdown. These sites include sensitive government payment portals and remote access services, affecting the likes of NASA, the U.S. Department of Justice, and the Court of Appeals.
With around 400,000 federal employees currently furloughed, more than 80 TLS certificates used by .gov websites have so far expired without being renewed. To compound the situation, some of these abandoned websites can no longer be accessed due to strict security measures that were implemented long before the shutdown started.
As Netcraft notes, some of those sites you can't even get around the security warning, such as certain DOJ sites:
There are some government websites that you can click through on, but as Netcraft notes, this could allow for man-in-the-middle attacks or other security risks:
This introduces some realistic security concerns, as task-oriented users are more likely to ignore these security warnings, and will therefore render themselves vulnerable to man-in-the-middle attacks.
If the shutdown continues for a while, this problem could get significantly worse. I know that Wall Street put pressure on the government to make certain IRS employees suddenly deemed "essential" to help Wall Street keep functioning smoothly, perhaps someone might want to deem the people renewing security certs similarly essential? Or, you know what, maybe just re-open the damn government.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, government shutdown, https, security certificates, tls
Reader Comments
Subscribe: RSS
View by: Time | Thread
of course that would not solve all problems, but it would need less human intervention
[ link to this | view in chronology ]
Re:
Either way, there are many examples of similar issues in the private sector, they're just normally not directly due to a spoiled toddler having a tantrum.
[ link to this | view in chronology ]
Re: Re:
[citation needed]
..checks twitter...nvm...
[ link to this | view in chronology ]
Re: certificates
[ link to this | view in chronology ]
Re: Re: certificates
Also, never underestimate the power of management who will favour an inferior solution due to a brand name or because they know a paid solution will give them an out when their incompetence is revealed.
[ link to this | view in chronology ]
Re: Re: Re: certificates
I'd imagine automation is something that's slow to be approved in the public sector.
Not just slow, but likely to never happen. The UK gov sites we admin are managed by an elaborate paper driven procedure agreed when Edward was on the throne. It's triggered by an internal Business Team that asks the Technical Team to generate their certificate request files, upon which they then obtain the necessary certs from the providers. Once obtained, they hand them over to an internal Security Team, who audit/vet them before handing them to the Technical Team for implementation. And that's the simple version; there are other internal/external Business Units and external Security Teams in the loop.
2 weeks minimum. It's like 'Yes Minister', on steroids.
[ link to this | view in chronology ]
Re: Re: Re: Re: certificates
Hopefully some thinking people in the US will take this as a warning, though - if something as predictable and easily automated as certificate renewal is failing, just imagine what else is getting ready to collapse.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
I would love to believe this is true, but the people who probably should be learning this lesson are likely people who voted into office the man responsible for the shutdown.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Blame
He also said - quite loudly when someone else was in office, that only the president can be blamed for a shutdown.
Also: Wall = silliness. Press releases about it = lies and misstatements. Something thinking people fact-check everytime he opens his lie-hole.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Government Actually Gets Things Done -- Who Knew?
Yet here you are, take away the Government for just a few days, and suddenly everybody starts to miss it.
[ link to this | view in chronology ]
Re: Government Actually Gets Things Done -- Who Knew?
At least there is no new terrible legislation going through right now.
[ link to this | view in chronology ]
Re: Re: Government Actually Gets Things Done -- Who Knew?
Yes there are things that can be trimmed from current operations. The problem with a shutdown is that it is like using a chainsaw instead of a scalpel when doing the trimming. You end up losing a lot more than just fat and the opening won't heal correctly either.
[ link to this | view in chronology ]
Re: Re: Government Actually Gets Things Done -- Who Knew?
What reality are you living in. Congress is still functioning, as is the white house. Its just the people to do the work to implement the laws who are furloughed.
[ link to this | view in chronology ]
Re: Re: Re: Government Actually Gets Things Done -- Who Knew?
[ link to this | view in chronology ]
Re: Re: Re: Re: Government Actually Gets Things Done -- Who Knew
So no change from before the shutdown then.
[ link to this | view in chronology ]
Re: Re: Government Actually Gets Things Done -- Who Knew?
[ link to this | view in chronology ]
Re: Re: Re: Government Actually Gets Things Done -- Who Knew?
You have no idea.
[ link to this | view in chronology ]
Re: Re: Re: Re: Government Actually Gets Things Done -- Who Knew
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Government Actually Gets Things Done -- Who
[ link to this | view in chronology ]
Re: Re: Government Actually Gets Things Done -- Who Knew?
Oh, but you will. I'm sorry to see that you're so incapable of critical thinking that you have to wait for the damage to hit you personally, rather than take easy preventative measures to stop it from happening.
"we'd all get to pay less in taxes."
Yet, you apparently support something that's guaranteed to cost you billions, at minimum. Strange.
[ link to this | view in chronology ]
But it makes no sense why the can't government do any labor-shifting, in much the same way that companies routinely handle strikes by sending the executives and engineers to work the assembly lines? The vast majority of the federal government does not do anything that's essential on a daily basis, and the fully-funded parts, such as the military, could easily switch to other duties.
[ link to this | view in chronology ]
Re:
I don't know what's more sad. The fact that you freely admit that the insane amount of money that you spend on your military would be better spent elsewhere. Or, the fact that you believe that your government doesn't hire anyone with any actual professional knowledge or experience since they're so easily replaced.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
I wonder if you’re also a fan of all the vandalism, too.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Blame where it's due. In software we don't blame our Quality Assurance people when they fail to catch a bug written by Engineering. We praise them when they do but Engineering is at fault for bugs. Always. No difference in other industries.
[ link to this | view in chronology ]
Re: Re: Re:
In software we don't blame our Quality Assurance people when they fail to catch a bug written by Engineering.
This is how we can tell you're lying.
[ link to this | view in chronology ]
Re: Re: Re:
Yet, that's what they'll do. Quite often, these things are there because companies cut corners to save money. Plenty of middle management types spend their days raging at people who won't let them put margins over and above peoples' safety, because they always believe they know better and the precautions are not necessary.
Now they can take shortcuts *and* blame the lack of oversight when problems aren't caught - and you think this won't happen?
"In software we don't blame our Quality Assurance people when they fail to catch a bug written by Engineering"
I somehow doubt you've ever worked in industry, certainly not for a larger corporate entity.
[ link to this | view in chronology ]
Re:
Please. Oh PLEASE give me an example. This is your libertarian wet dream. A society without a government telling you what to do. I am giving you the power. Who do you behead to never return? Oh please tell me oh wise one who never needs to see a paycheck again? Please tell me what services are not important enough.
[ link to this | view in chronology ]
Re: Re:
Just to name one, HUD, the Department of Housing and Urban Development, would be high on my list of "federal agencies that are not just useless, but counter-productive."
Much of the gargantuan federal government is basically a "workfare" program for minorities. Perhaps it served a real need back in the 1960s when Johnson's "Great Society" programs were born, but today serves as a lingering remnant of the kind of socialism that even hardline socialist countries abandoned.
[ link to this | view in chronology ]
Re: Re: Re:
I found the racist!
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Quite to the contrary they're very useful in propping up our corporate overlords who choose not to pay a living wage by subsidizing their serfs' housing costs. At least under feudalism the vassals would house their serfs.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
It's also a dream of the Republicans who favor smaller government. At least in theory.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
That was the GOP's fault; the idea was to derail the Affordable Care Act.
[ link to this | view in chronology ]
There's probably also some civil service regulations to prevent Civil Service work being done by appointees. Otherwise it would be too easy to terminate employees for political reasons.
I wish the Dems would pass a bill with a border wall, but also with everything from Student Loan forgiveness to DACA and other immigration reforms. Give Pres. Trump a choice: either a clean bill with no wall, or a bill that funds his symbolic pork-barrel, but forces him to accept a significant part of their agenda in return. At a minimum, roll back some of the Trump corp and high-income tax cuts to "pay for the wall".
Oh, and explicitly fund the Mueller investigation to the end of the FY, so the new DoJ leadership doesn't play games with their budget.
[ link to this | view in chronology ]
Re:
Everything after this assumes the Senate would pass the same bill and force Trump into making a decision. Since Mitch McConnell would probably rather die that put Trump in the path of a Sophie’s Choice like yours (and a could-be-successful override vote in the Senate if he chooses to veto), I doubt that would happen.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Commentary
Prediction: threat of imminent collapse will galvanize unanimous response.
Warning: response will have high likely-hood of unintended consequences.
Optimism: UBI(universal basic income) utopia
Pessimism: new dark age dictatorship
[ link to this | view in chronology ]
Re: Commentary
What it would do is force the likes of me to pay more tax so the idle rich could have pocket money.
[ link to this | view in chronology ]
Re: Re: Commentary
Perhaps, but the cost of means testing would exceed the benefits.
I'm okay with paying more in taxes to make sure nobody starves. If that means pocket change for the idle rich, that's a price I'm willing to pay. Just as I don't mind paying for rich kids to go to public school, should their parents so choose.
[ link to this | view in chronology ]
Incompetence, not shutdown.
The certificate for the example you show (ows2.usdoj.gov) expired on December 17, before the shutdown started.
[ link to this | view in chronology ]
Re: Incompetence, not shutdown.
One would presume that it would have been noticed *before* the shutdown if it was expired... but it seems everyone noticed it *after* the shutdown started.
Was it reverted to the older cert after the shutdown?
[ link to this | view in chronology ]
Re: Re: Incompetence, not shutdown.
Who says it wasn't?
"but it seems everyone noticed it *after* the shutdown started."
By "everybody" you mean Netcraft and by "after the shutdown started", you mean "after the certificates expired" (most of which examined having expired after the shutdown).
"Was it reverted to the older cert after the shutdown?"
Occam's razor does help with most such conspiracy theories. Which is more likely - relatively mundane repetitive tasks are simply not being done by a department which is shut down for the second time in the space of a year, or that people are deliberately reinstalling expired certificates in order to make it look like they're more important than they are?
[ link to this | view in chronology ]
The certificate expired on December 17, 2018, 6:34 PM. The current time is January 15, 2019, 10:56 AM. (my time zone is UTC+1)
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Incompetence, not shutdown.
[ link to this | view in chronology ]
Of course he's a Russian agent. It's been clear for some time that his goal is to ruin this country.
Just shut him down and put a wall around him--four walls actually... like a prison cell? (you know, for treason).
[ link to this | view in chronology ]
Re:
Your first point is inaccurate.
Trump proved his complete incompetence at presidenting beyond all reasonable doubt long before his election. The two years after have merely been putting adamantine reinforcement on it.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]