Shutdown threatens even more government websites

The list of affected federal sites grows as security certificates expire, giving hackers more opportunities to get between you and the website you're visiting.

Laura Hautala
Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials 2022 Eddie Award for a single article in consumer technology
3 min read
Abstract image of lock against blue background
Patra Kongsirimongkolchai/Getty Images

The government shutdown, now in its 25th day, continues to affect the security of federal websites, and the number of impacted sites has jumped.

Netcraft, a UK-based web security company, noted last week that it had found more than 80 US government websites operating with expired security certificates, a situation that could put visitors at risk. On Thursday, the company said the number had grown to more than 130 federal sites with expired certificates.

Sites such as those of the Department of Justice and NASA were among those initially affected. The latest round of certificate expirations includes sites for the White House, the Federal Aviation Administration, the National Archives and the Department of Agriculture. Some of the affected sites are payment portals, potentially jeopardizing the personal information of visitors, Netcraft said, though CNET couldn't independently verify this.

As the shutdown drags on, more certificates are likely to expire, because they can require employees to renew them. The certificates have different expiration dates scattered throughout the year, and the workers who would normally renew some of them are likely to be out on furlough. As a result, "[T]here could be some realistic opportunities to undermine the security of all US citizens," Paul Mutton, a security researcher at Netcraft, wrote in a company blog post January 10.

Netcraft's findings underscore the toll taken on US government cybersecurity by the protracted shutdown, which has left hundreds of thousands of federal employees and contractors furloughed.

Security certificates, which use a cryptographic key to verify that a website is legitimate, are crucial tools for the safe operation of the web. The certificates let websites tap tools that encrypt the information the sites send to, and receive from, visitors. If a website's certificates aren't valid, the security tools won't work.

That leaves the information -- think passwords and credit card numbers -- vulnerable to hackers. What's more, hackers could stealthily direct visitors to download malicious software masquerading as an everyday file, such as a PDF of an important document.

That's what's called a "man in the middle" attack," said Marc Rogers, who runs cybersecurity at Okta, a company that manages workplace logins. Rogers said the tactic has been used by both criminals and spy agencies to fool internet users and compromise computers.

Such attacks can be very sophisticated, with hackers hijacking what visitors see even when they type in the correct website address. Hackers can then show visitors a fraudulent version of the website they were trying to reach.

Netcraft found more than 80 expired security certificates for US government websites, but the company isn't saying hackers have actually taken advantage of vulnerable sites.

Some of the expired certificates have knocked subdomains, or offshoots of major websites, off the web. A NASA subdomain, rockettest.nasa.com, currently isn't accessible, which Netcraft said is because of a lapsed certificate. According to the Internet Archive, the page is for the space exploration agency's Rocket Propulsion Test Program. The site's security certificate expired Jan. 5, according to Netcraft.

NASA didn't immediately respond to a request for comment.

More than ever, websites are using security certificates and thus enabling an encrypted connection. A push by internet security experts and major Silicon Valley companies, including Google and Mozilla, has made it simpler for website owners to get certificates. It's so common, in fact, that fraudsters have started encrypting their websites too, in order to look legitimate.

Rogers said the threat posed by expired certificates should prompt lawmakers and department heads to plan better for the next government shutdown.

"We need to ask, what are the things that we need to protect?" Rogers said. "So that when these lapses happen, criminals don't take advantage."

CNET's Marguerite Reardon contributed to this story.

First published Jan. 12, 9:43 a.m. PT.
Update, Jan. 17 at 1:50 p.m.: Adds new information from Netcraft about the number of federal websites affected. 

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Election security: Everything you need to know about election security in the 2018 US midterm elections.