The U.S. government shutdown is causing trouble not only in political circles but also in the world of internet security. As the shutdown enters day 22, making it the longest shutdown in the history of the country, dozens of government websites have been rendered insecure or inaccessible due to expired transport layer security (TLS) certificates.
According to a report by Netcraft, more than 80 TLS certificates that are used by .gov websites have expired and have not been renewed. To make matters worse, some websites are now entirely inaccessible due to security measures brought in long before the shutdown started. Modern browsers are forced to use secure and encrypted protocols when accessing government websites, which is a sensible security measure, but when a certificate is expired the site becomes inaccessible and a warning page is shown instead.
In browsers like Google Chrome and Mozilla Firefox there is a way to bypass the warning and continue on to the site, but this is hidden in an advanced options menu that most non-advanced users wouldn’t know to look for and wouldn’t feel confident using. It is also not advisable for users to enter any sensitive data such as personal information or social security numbers into the websites with this warning as they are currently not secure.
TLS certificates are important because they grant permission to use encrypted communication and authenticate the identity of the certificate holder. The certificates need to be regularly renewed to confirm that the site is still secure and encrypted, and if they are not renewed, the sites automatically show a warning when users try to visit the site.
Some of the affected sites include crucial government services like NASA, the U.S. Department of Justice, and the Court of Appeals. These sites could now be vulnerable to cyber attacks like man-in-the-middle attacks in which an attacker can access and alter information sent between two parties who believe they are communicating directly with each other.
According to CyberScoop, the government shutdown has raised tensions among the government cybersecurity community, with government representatives being notably absent at recent cybersecurity recruiting events held in Washington earlier this month.