The shutdown has been going on for around three weeks now and it is not showing any signs that it’s going to end soon. All in all, nine federal departments and a number of agencies have been closed since Dec. 22.
Now, it looks it’s not just robocalls that we need to worry about. Government websites are also being rendered inaccessible and, worse yet, putting you at risk of identity theft.
Government website certificates have expired
A number of government websites including the official web pages of U.S. Department of Justice, NASA and the Court of Appeals are being rendered inaccessible because of the current U.S. government shutdown.
What’s happening? It looks like due to the shutdown, the government has failed to renew around 80 TLS security certificates used on .gov domains. This means a large number of HTTPS-secured government websites are erroring out.
Note: TLS certificates are essential components of web security. Like driver’s licenses or passports, they are used to validate the identity of websites, making sure that they are what they claim they are.
For example, if you go to the Department of Justice’s https://ows2.usdoj.gov/ page, your browser will display an error message, warning you that the “connection is not private” and attackers may be impersonating the website to steal your information.
Browsers like Google Chrome and Mozilla Firefox will not even allow you to bypass the error and visit this page since its part of Chromium’s HTTP Strict Transport Security (HSTS) preload list.
Accessing the site through Chrome displays this message:
Other browsers like Safari and Microsoft Edge have their own HSTS preload lists, too. This means a number of .gov websites with expired certificates will be rendered inaccessible all through the shutdown (or until someone renews the certificates.)
Other government websites are also displaying website notices due to the lapse in government funding.
For instance, the website of National Institute of Standards and Technology (NIST) states that most of its affiliated websites are unavailable:
If you see a certificate error on a .gov website, don’t proceed
Here’s another warning for you. Government websites with expired TLS certificates but not on the HSTS preload list can still be accessed with your browser by clicking on the “Advanced” button of the warning page.
This will, however, put you at risk of information theft and identity fraud since an attacker can impersonate the website and intercept your data.
And the scary part is this – no one knows how long this government shutdown will last, giving cybercriminals everywhere an opportunity to exploit the situation.
Rule of thumb (on all websites, for that matter), if your browser is cautioning you about an expired or invalid certificate, heed the warning and stay away from it.