Windows 10 News and info | Forum
July 20, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: U.S. Government Shutdown Leaves Its Sites Insecure, TLS Certs Expired  (Read 67 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 30238


I Do Windows


WWW Email
« on: January 11, 2019, 02:17:29 AM »
ReplyReply

Following a partial U.S. government shutdown caused by a deadlock on the issue of the Mexican border wall between the Democratic Party and Donald Trump, tens of government websites can no longer be accessed or have become insecure because their TLS certificates have not been renewed.

The websites of the U.S. Department of Justice, NASA, and the Court of Appeals are some of the ones hit by the government's failure to extend around 80 TLS certificates used on .gov domains.

.gov websites with expired certificates on the HSTS preload list now inaccessible

One of the websites affected by this mishap is Department of Justice's http://ows2.usdoj.gov/, which displays an error message warning visitors that the connection is not private or secure, depending on the used web browsers.

To make things worse, because ows2.usdoj.gov is also on Chromium's HTTP Strict Transport Security (HSTS) preload list, the website will not be accessible given that both Google Chrome and Mozilla Firefox will automatically hide the button allowing users to temporarily ignore the warning and open the website.


Expired ows2.usdoj.gov TLS certificate

Furthermore, seeing that most other web browsers also use their own HSTS preload lists based on the Chrome one, there is nothing users can do to load the .gov websites temporarily broken by the expired TLS certificates.

The government sites not on the HSTS preload list will open after users click on the 'Advanced" button at the end of the warning and choose to proceed, but there are risks involved in doing that.

Expired certificates increase the risk of fraud and identity theft

According to GlobalSign, people who still choose to use websites with expired TLS certificates are exposed to:

Quote
Personal information at risk from man-in-the-middle attacks

Individual susceptible to fraud and identity theft


"Until US Congress resumes services it is inevitable that we will see expired certificates and this example just goes to show how vulnerable organizations who are susceptible to shutdown can be" said GlobalSign’s Managing Director, Paul Tourret.

"As more and more certificates used by government websites inevitably expire over the following days, weeks — or maybe even months — there could be some realistic opportunities to undermine the security of all U.S. citizens," according to Netcraft's Paul Mutton who discovered the expired .gov TLS certificates and the issues they're causing.

source
Logged



Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page April 11, 2019, 06:08:06 PM