President Trump's Government Shutdown Is Breaking Federal Websites

A Department of Justice website malfunctioning from an expired TLS certificate.
A Department of Justice website malfunctioning from an expired TLS certificate.

Dozens of federal government websites are not working correctly due to the ongoing government shutdown, BuzzFeed News reported on Friday, including ones for the Seventh Circuit of the U.S. Court of Appeals and some NASA and Department of Justice webpages. According to BuzzFeed, these sites and others appear to be malfunctioning because they lacked valid Transport Layer Security certificates—making them inaccessible from some browsers, such as Google’s popular Chrome browsers, that began warning users of insecure connections (at least without manually accepting an invalid certification). 


With the ongoing shutdown over Donald Trump’s demands that Congress fund a useless, racist wall (or some kind of useless, racist, face-saving wall-like object) on the U.S.-Mexico border now the longest federal shutdown in history, it’s likely that the sites aren’t working because IT workers aren’t getting paid or are on furlough. BuzzFeed wrote:

The problem stems from a failure to renew the sites’ Transport Layer Security (TLS) certificates, according to Netcraft, which monitors TLS activity. In layperson’s terms, a TLS certificate authenticates a website to your browser and ensures that people can’t snoop on the information you send to the site. The missed renewal has affected more than 80 government sites, Netcraft reported.

... The Court of Appeals, NASA, and the DOJ did not immediately respond to requests for comment.

According to the Netcraft analysis, over 80 government websites were affected by the issue as of Jan. 10, 2019. As Netcraft noted, some websites such as the DOJ sites in question are in the Chromium HSTS preload list, meaning that they require “secure, encrypted protocols” for a user to connect. That prevents users from connecting when expired certificates are detected, though the site noted that “in this case, security is arguably better than usability when you can’t have both.” It further wrote that other sites were not properly configured, potentially exposing some users to preventable security risks:

However, only a few of the affected .gov sites implement correctly-functioning HSTS policies. Just a handful of the sites appear in the HSTS preload list, and only a small proportion of the rest attempt to set a policy via the Strict-Transport-Security HTTP header – but the latter policies will not be obeyed when they are served alongside an expired certificate, and so will only be effective if the user has already visited the sites before.

Consequently, most of the affected sites will display an interstitial security warning that the user will be able to bypass.

One website for the Department of Energy’s Lawrence Berkeley National Laboratory, they noted, allowed users to proceed to a vulnerable login page due to incorrect configuration. (The Berkeley Lab remains open during the shutdown, so this particular example may not be connected.)

It’s unclear when the federal government standoff, which has seriously impacted everything from national parks and science conferences to air travel and pay for an estimated 800,000 federal workers, might end. Negotiations between Trump and Democratic members of Congress are still stalled and won’t restart until the work week begins on Jan. 14. A CNN primer on the shutdown on Saturday answered the question “When will the government reopen?” with “¯\_(ツ)_/¯ Your guess is as good as ours.”


Clarification: This post originally said that the websites were inaccessible on some browsershowever, these pages can be accessed via advanced options that are in some cases hidden from the end user.

[BuzzFeed News/Netcraft]




Thanks for using TLS. People still think SSL. But they aren't inaccessible, you just have to accept an invalid cert, which is a bad idea unless you're visiting