Dozens of .gov HTTPS certs expire, webpages offline, FBI on ice, IT security slows... Yup, it's day 20 of Trump's govt shutdown

The IT impact of the ongoing partial US federal government shutdown has begun to show up in the form of degraded computer security. According to internet services biz Netcraft, more than 80 TLS certificates used on .gov websites have expired and have not been renewed.

That's caused a bunch of HTTPS-protected .gov sites to become inaccessible or throw up browser errors. Meanwhile, some websites, such as NIST.gov, have been scaled back due to the funding freeze.

Not all of those aforementioned TLS certificates have lapsed since the budget impasse became apparent on December 22, 2018. For example a US Justice Department website sports a TLS certificate from web registrar Go Daddy that expired on December 17, 2018.

But other websites sport more recently lapsed certs like NASA's Rocket Test website, which expired on January 5, 2019. The Lawrence Berkeley Lab website, expired on January 8, 2019.

Due to the expired certificates, would-be visitors may find it difficult to access to affected websites or may be kept away entirely by scary browser warning messages.

In theory, Netcraft observes, support for HTTP Strict Transport Security (HSTS) in modern browsers should prevent users from visiting websites with invalid certs. But because many government websites fail to implement HSTS correctly, visitors to these misconfigured sites will still be able to bypass warnings, raising the possibility of man-in-the-middle attacks.

Pulling the wall over our eyes

The partial government shutdown arises from President Trump's insistence that Congress pass a national budget that includes $5.7bn for the border wall he previously said would be paid for by Mexico. The Democrats now in control of the US House of Representatives have rejected Trump's plan, and there's no evident interest in a compromise at the moment. As a result, roughly 400,000 federal government employees are expected to continue working without pay, and another 400,000 are barred from work, again unpaid, as they are deemed non-essential.

With government agencies limiting operations, including the Departments of Agriculture, Commerce, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, State, Transportation, and the Treasury, not to mention the Environmental Protection Agency, official inattention is magnifying security risks.

As the funding freeze loomed last month, DHS issued shutdown guidance saying it's expected only 2,008 of its 3,531 employees in the recently formed Cybersecurity and Infrastructure Security Agency (CISA) would be active in the absence of funding. That means a lot of IT security work will be left undone. While a skeleton staff remains active at NIST to keep the national vulnerability database and time servers running, the majority of employees were sent home and its website pared back, somewhat hampering security research.

On Thursday, the FBI Agents Association, a group that represents almost 13,000 active duty FBI Special Agents, sent a petition to the White House and Congressional leaders warning of the impact of the shutdown on the national law enforcement agency. Although some agents continue to work, albeit unpaid, while thousands of fellow bureau workers remain at home, their resources and investigations are limited.

Noting that FBI workers will not be paid on Friday, January 11, as they should be, the petition asks for elected leaders to fund agency operations "before financial insecurity compromises national security." ®