We like to think of ourselves as nerds here at TechCrunch, which is why we’re bring you this. During the government shutdown, security experts noticed several federal websites were throwing back…
Article word count: 637
HN Discussion: https://news.ycombinator.com/item?id=18933950
Posted by jmsflknr
(karma: 385)Post stats: Points: 161 - Comments: 115 - 2019-01-17T19:50:10Z
We like to think of ourselves as nerds here at TechCrunch, which is why we’re bring you this.
During the government shutdown, security experts noticed several federal websites were throwing back browser errors because the TLS certificate, which lights up your browser with “HTTPS” or flashes a padlock, on many domains had expired. And because so many federal workers have been sent home on unpaid leave — or worse, working without pay but trying to fill in for most of their furloughed department — expired certificates aren’t getting renewed. Renewing certificates doesn’t take much time or effort — sometimes just a click of a mouse. But some do cost money, and during a government shutdown there isn’t any.
Depending on the security level, most websites will kick back browser errors. Some won’t let you in at all until the expired certificate is renewed.
We got thinking: how many of the major departments and agencies are at risk? We looked at the list of government domains (not including subdomains) from 18F, the government’s digital services unit, which updated the list just before the shutdown. Then we filtered out all the state domains, leaving just the domains of all federal agencies and the executive branch. We put all of those domains through a bash script that pulls information from the TLS certificate of each domain and returns its expiry value. Running that for a few hours in another bash script, we returned with a few thousand results.
In other words, we poked every certificate to see if it had expired — and, if not, when it would stop working.
Why does it matter? Above all else, it’s an inconvenience. Depending on how long this shutdown lasts, it won’t take long before some of the big federal sites might start throwing errors and locking users out. That could also affect third-party sites and apps that rely on those federal sites for data, such as through a developer API.
Security, however, is less of a factor, despite claims to the contrary. Eric Mill, a security expert who recently left 18F, the government’s digital agency, said that fears over expired certificates have been overblown.
“The security risk to users is actually very low, since trusting a recently expired cert doesn’t in and of itself allow traffic to be intercepted,” he said in a recent tweet. Mill also noted that there’s little automation across the agencies, leading to certificates expiring and eventual downtime — especially when sites and departments are understaffed, especially given that each federal agency and department is responsible for their own website.
There’s a silver lining. Any website that’s hosted on cloud.gov, search.gov or federalist.18f.gov won’t go down as they rely on Let’s Encrypt certificates that automatically renew every three months.
We’ve compiled the following list of domains that have and will expire during the period of the shutdown, from December 22 onwards — while removing dead links and defunct domains that no longer load. Some domains redirect to other domains that might have a certificate that expires next year, but the first domain will still fail on its expiry date.
Remember, if you see a domain that’s working past its expiry, check the certificate and it’s likely been renewed. If you see any errors, feel free to drop me an email.
In all, we’ve counted five expired federal domains already, 13 domains will expire by the end of the month, and another 58 domains that’ll expire by the end of February.
Expiring in January:
Federal domains that will expire by mid-February
Federal domains that will expire by the end of February
All information was accurate as of January 17. Edited at 3:30pm ET by deleting citizenscience.gov and everykidinapark.gov as these are known to be domains with auto-renewing certificates.Cybersecurity 101: How to browse the web securely and privately
HackerNewsBot debug: Calculated post rank: 145 - Loop: 139 - Rank min: 100 - Author rank: 66