Shutdown: Dot-gov websites vulnerable to cyberattacks, certificates expiring amid funding pause


#1

Originally published at: https://boingboing.net/2019/01/11/shutdown-dot-gov-websites-vul.html

“With around 400,000 federal employees currently furloughed, more than 80 TLS certificates used by .gov websites have so far expired without being renewed.”


#2

Just another shutdown “feature”.


#3

I think it is worth pointing out that expired certificates are fully functional – it’s just that the user gets a very scary warning which does in effect render the site inaccessible.

(Said as a veteran of many expired cert fire-drills.)


#4

#5

Don’t these things expire like… every three years? Did they leave the renewal until the last minute? Is somebody going to register IRS.gov for a porn site?


#6

Domains are different from SSL certificates, as @Scott_Lindsey said. Domains are things like IRS.gov, the name. Each Top Level Domain (tld) has a governing body who hands out domains, so nobody can grab IRS.gov and sit on it, because the federal government controls distribution of .gov domains. Of course, these entities can delegate: when you buy a .com domain off namecheap, you’re paying namecheap to register the domain on your behalf with the controller of the .com TLD.

The certificate thing is another matter: the certificate is kinda like a secret password. We’ll come up with some cipher (secret way of speaking) that somehow depends on this password, so if we’re the only ones who know this password, we’re the only ones who can understand. The problem is that bad guys can just grab some of the messages and start trying random passwords, and if they try for long enough they’re going to get it. To get around this, we implement expiration in the certificates. I tell you that yeah, we’re going to use this password, but a year from now this password won’t be any good anymore and if people try and talk to you with this password, that means they’re not me and they’re trying to get your data. An expired SSL certificate isn’t BAD, it doesn’t mean that the bad guys have your data, but it’s a hint that there may be something fishy going on. That’s why browsers let you route around it (usually through a semi-hidden option on the warning page like advanced -> continue anyway.)

ETA:
I’m guessing you already knew the answers to all these from what I’ve seen before, but I’m sure someone will show up wondering these things :wink:


#7

A problem with a nearly trivial solution: Let’s Encrypt.

I have an uneasy feeling the president is not the only one incompetent.


#8

Look, if any government employee out there is willing to give me shell access, I’ll put a Let’s Encrypt certificate on all these sites myself. No charge!


#9

Thank you that was helpful. And yes, I know what a password is.


#10

Just a cursory glance over at the IRS’ website shows their cert to be good through 2020, so there shouldn’t be any issues there. Until next year’s shutdown over whatever Trump’s next racist public works project ends up being.


#11

This topic was automatically closed after 5 days. New replies are no longer allowed.