Dozens of .gov HTTPS certs expire, websites offline, FBI on ice, IT security slows… Yup, it’s day 20 of Trump’s govt shutdown

The IT impact of the ongoing partial US federal government shutdown has begun to show up in the form of degraded computer security. According to internet services biz Netcraft, more than 80 TLS certificates used on .gov websites have expired and have not been renewed.

That’s caused a bunch of HTTPS-protected .gov sites to become inaccessible or throw up browser errors. Some websites, such as NIST.gov, have been scaled back due to the funding freeze.

Not all of those aforementioned TLS certificates have lapsed since the budget impasse became apparent on December 22, 2018. For example a US Justice Department website sports a TLS certificate from web registrar Go Daddy that expired on December 17, 2018.

But other websites sport more recently lapsed certs like NASA’s Rocket Test website, which expired on January 5, 2019. The Lawrence Berkeley Lab website, expired on 8 January 2019.

Due to the expired certificates, would-be visitors may find it difficult to access to affected websites or may be kept away entirely by scary browser warning messages.

In theory, Netcraft observes, support for HTTP Strict Transport Security (HSTS) in modern browsers should prevent users from visiting websites with invalid certs. But because many government websites fail to implement HSTS correctly, visitors to these misconfigured sites will still be able to bypass warnings, raising the possibility of man-in-the-middle attacks.

The partial government shutdown arises from President Trump’s insistence that Congress pass a national budget that includes $5.7 billion for the border wall he previously said would be paid for by Mexico. The Democrats now in control of the US House of Representatives have rejected Trump’s plan and there’s no evident interest in a compromise at the moment. As a result, federal government employees are expected to continue working without pay, or are being barred from work if deemed non-essential.

eagle_nebula

FYI: NASA eggheads can’t fix a knackered Hubble space ‘scope camera – thanks to Trump’s govt shutdown

READ MORE

With government agencies limiting operations, including the Departments of Agriculture, Commerce, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, State, Transportation, and the Treasury, not to mention the Environmental Protection Agency, official inattention is magnifying security risks.

As the funding freeze loomed last month, DHS issued shutdown guidance saying it’s expected only 2,008 of its 3,531 employees in the recently formed Cybersecurity and Infrastructure Security Agency (CISA) would be active in the absence of funding. That means a lot of IT security work will be left undone. While a skeleton staff remains active at NIST to keep the national vulnerability database and time servers running, the majority of employees were sent home and its website pared back, somewhat hampering security research.

On Thursday, the FBI Agents Association, a group that represents almost 13,000 active duty FBI Special Agents, sent a petition to the White House and Congressional leaders warning of the impact of the shutdown on the national law enforcement agency.

Noting that FBI workers will not be paid on Friday, January 11, as they should be, the petition asks for elected leaders to fund agency operations “before financial insecurity compromises national security.” ®

READ MORE HERE