In a government shutdown, everything deemed non-essential stops. As we found out, renewing the certificates on its websites is considered non-essential.
Several government sites are currently inaccessible or blocked by most browsers after their HTTPS certificate expired. With nobody available to renew them during the government shutdown, these sites are kicking back warning errors.
According to Netcraft, a U.K.-based internet security services company, many government domains can’t be accessed until someone fixes the certificates. Some sites, like one Justice Department subdomain, are at the time of writing completely inaccessible because the domain is included in Chrome’s HSTS preload list, used by browsers to force browsers into using HTTPS only when accessing pages on the domain.
Others, like this NASA page and one U.S. Courts website, however, aren’t using HSTS and are still accessible via an interstitial warning.
So what’s happening?
Every time your browser lights up with “HTTPS” in green or flashes a padlock, it’s a TLS certificate encrypting the connection between your computer and the website, ensuring nobody can intercept and steal your data or modify the website. But TLS certificates are notoriously delicate things. Certificates expire — a common mistake as people often forget to renew them. Depending on the security level, most websites will kick back browser errors while other sites won’t let you in at all until the expired certificate is renewed.
Except in this case, they can’t — because there’s nobody there to buy and install a new certificate.
As it stands, it’s the responsibility of each department and agency to renew the certificate for their own domain. Depending on how many workers have been furloughed and sent home in each agency, renewing a certificate might not be a top priority when they’re short-staffed and overworked already.
There is some good news.
Most major government websites aren’t down or likely to go down any time soon. Most government certificates aren’t set to expire for many more months. Also, any government website hosted on cloud.gov, search.gov or federalist.18f.gov won’t get certificate errors, as these domains automatically renew their certificates every three months with Let’s Encrypt.
Until the government opens up again, don’t expect these websites until then. But depending on how long this shutdown lasts, you can certainly expect things to get a lot worse.