.Gov Security Falters during US Shutdown

Posted by Megalith 12:50 PM (CST)

Saturday January 12, 2019

Many government websites have been rendered either insecure or inaccessible due to the federal shutdown. The root of the issue is expired TLS certificates; tech workers have been furloughed and are not around to renew them. While some of these sites are accessible due to the lack of HSTS (HTTP Strict Transport Security), which allows visitors to bypass their browsers’ security measures, this is not advised, as that opens up the potential for man-in-the-middle attacks.

In a twist of fate, the domain -- and all of its subdomains -- are included in Chromium's HSTS preload list. This is a prudent security measure which forces modern browsers to only use secure, encrypted protocols when accessing the US DoJ websites; however, it will also prevent users from visiting the HTTPS sites when an expired certificate is encountered. In these cases, modern browsers like Google Chrome and Mozilla Firefox deliberately hide the advanced option that would let the user bypass the warning and continue through to the site.