Some US government websites wont load after HTTPS certificates expire during shutdown

In a government shutdown, everything deemed non-essential stops. As we found out, renewing the certificates on its websites is considered non-essential.
Several government sites are currently inaccessible or blocked by most browsers after their HTTPS certificate expired. With nobody available to renew them during the government shutdown, these sites are kicking back warning errors.
According to Netcraft, a U.K.-based internet security services company, many government domains cant be accessed until someone fixes the certificates. Some sites, likeone Justice Department subdomain, are at the time of writing completely inaccessible because the domain is included in Chromes HSTS preload list, used by browsers to force browsers into using HTTPS only when accessing pages on the domain.
Others,like this NASA pageand one U.S. Courts website, however, arent using HSTS and are still accessible via an interstitial warning.
So whats happening?
Every time your browser lights up with HTTPS in green or flashes a padlock, its a TLS certificate encrypting the connection between your computer and the website, ensuring nobody can intercept and steal your data or modify the website. But TLS certificates are notoriously delicate things. Certificates expire a common mistake as people often forget to renew them. Depending on the security level, most websites will kick back browser errors while other sites wont let you in at all until the expired certificate is renewed.
Except in this case, they cant because theres nobody there to buy and install a new certificate.
As it stands, its the responsibility of each department and agency to renew the certificate for their own domain. Depending on how many workers have been furloughed and sent home in each agency, renewing a certificate might not be a top prioritywhen theyre short-staffed and overworked already.
There is some good news.
Most major government websites arent down or likely to go down any time soon. Most government certificates arent set to expire for many more months. Also, any government website hosted on, or federalist.18f.govwont get certificate errors, as these domains automatically renew their certificates every three months with Lets Encrypt.
Until the government opens up again, dont expect these websites until then. But depending on how long this shutdown lasts, you can certainly expect things to get a lot worse.

How Trumps government shutdown is harming cyber and national security
See also:
Leave a comment
  • Latest
  • Read
  • Commented
Calendar Content
«     2019    »