Some US government websites won’t load after HTTPS certificates expire during shutdown

In a government shutdown, everything deemed non-essential stops. As we found out, renewing the certificates on its websites is considered non-essential. Several government sites are currently inaccessible or blocked by most browsers after their HTTPS certificate expired. With nobody available to renew them during the government shutdown, these sites are kicking back warning errors. According […]

In a government shutdown, everything deemed non-essential stops. As we found out, renewing the certificates on its websites is considered non-essential.

Several government sites are currently inaccessible or blocked by most browsers after their HTTPS certificate expired. With nobody available to renew them during the government shutdown, these sites are kicking back warning errors.

According to Netcraft, a U.K.-based internet security services company, many government domains can’t be accessed until someone fixes the certificates. Some sites, like one Justice Department subdomain, are at the time of writing completely inaccessible because the domain is included in Chrome’s HSTS preload list, used by browsers to force browsers into using HTTPS only when accessing pages on the domain.

Others, like this NASA page and one U.S. Courts website, however, aren’t using HSTS and are still accessible via an interstitial warning.

So what’s happening?

Every time your browser lights up with “HTTPS” in green or flashes a padlock, it’s a TLS certificate encrypting the connection between your computer and the website, ensuring nobody can intercept and steal your data or modify the website. But TLS certificates are notoriously delicate things. When a certificate expires — a common mistake as people often forget to renew them. Depending on the security level, most websites will kick back browser errors while other sites won’t let you in at all until the expired certificate is renewed.

Except in this case, they can’t — because there’s nobody there to buy and install a new certificate.

As it stands, it’s the responsibility of each department and agency to renew the certificate for their own domain. Depending on how many workers have been furloughed and sent home in each agency, renewing a certificate might not be a top priority when they’re short staffed and overworked already.

There is some good news.

Most major government websites aren’t down or likely to go down any time soon. Most government certificates aren’t set to expire for many more months. Also, any government website hosted on cloud.gov, search.gov, or federalist.18f.gov won’t get certificate errors as these domains automatically renew their certificates every three months with Let’s Encrypt.

Until the government opens up again, don’t expect these websites until then. But depending on how long this shutdown lasts, you can certainly expect things to get a lot worse.

With Chrome 70, hundreds of popular websites are about to break

A lot of secure sites are set to grind to a halt with security error messages in the next version of Google Chrome, after the browser will drop trust for a major HTTPS certificate provider following a series of security incidents. Chrome 70 is expected to be released on or around October 16, when the […]

A lot of secure sites are set to grind to a halt with security error messages in the next version of Google Chrome, after the browser will drop trust for a major HTTPS certificate provider following a series of security incidents.

Chrome 70 is expected to be released on or around October 16, when the browser will start blocking sites that run older Symantec certificates issued before June 2016, including legacy branded Thawte, VeriSign, Equifax, GeoTrust and RapidSSL certificates.

Yet despite more than a year to prepare, many popular sites are not ready.

Security researcher Scott Helme found 1,139 sites in the top one million sites ranked by Alexa, including Citrus, SSRN, the Federal Bank of India, Pantone, the Tel-Aviv city government, Squatty Potty and Penn State Federal to name just a few.

Ferrari, One Identity and Solidworks were named on the list but recently switched to new certificates, escaping any future outages.

You can check any website by pulling up the console in Chrome on any website. (Image: TechCrunch)

HTTPS certificates encrypt the data between your computer and the website or app you’re using, making it near-impossible for anyone — even on your public Wi-Fi hotspot — to intercept your data. Not only that, HTTPS certificates prove the integrity of the the site you’re visiting by ensuring the pages haven’t been modified in some way by an attacker.

Most websites obtain their HTTPS certificates from a certificate authority, which abide by certain rules and procedures that over time become trusted by web browsers.

If you screw that up and lose their trust, the browsers can pull the plug on all of the certificates from that authority.

That’s exactly why Google called it quits on Symantec certificates last year. The search giant, and others, accused Symantec of issuing misleading and wrong certificates — and later, it was discovered that Symantec allowed non-trusted organizations to issue certificates without the required rigorous oversight. That has forced thousands of sites to trash their paid-for certificates and replace them with new ones to prevent their site from flagging up with error messages once the Chrome 70 deadline hits.

But, just as much as browsers can lose trust in a certificate authority, it can also gain the trust of new ones.

Let’s Encrypt, a provider of free HTTPS certificates, gained trust from all the major browser makers — including Apple, Google, Microsoft and Mozilla — earlier this year. To date, the non-profit has issued more than 380 million certificates.

Cloudflare’s new ‘one-click’ DNSSEC setup will make it far more difficult to spoof websites

Bad news first: the internet is broken for a while. The good news is that Cloudflare thinks it can make it slightly less broken. With “the click of one button,” the networking giant said Tuesday, its users can now switch on DNSSEC in their dashboard. In doing so, Cloudflare hopes it removes a major pain-point […]

Bad news first: the internet is broken for a while. The good news is that Cloudflare thinks it can make it slightly less broken.

With “the click of one button,” the networking giant said Tuesday, its users can now switch on DNSSEC in their dashboard. In doing so, Cloudflare hopes it removes a major pain-point in adopting the web security standard, which many haven’t set up — either because it’s so complicated and arduous, or too expensive.

It’s part of a push by the San Francisco-based networking giant to try to make the pipes of the internet more secure — even from the things you can’t see.

For years, you could open up a website and take it’s instant availability for granted. DNS, which translates web addresses into computer-readable IP addresses, has been plagued with vulnerabilities, making it easy to hijack any step of the process to surreptitiously send users to fake or malicious sites.

Take two incidents in the past year — where traffic to and from Amazon and separately Google, Facebook, Apple, and Microsoft were hijacked and rerouted for between minutes and hours at a time. Terabytes of internet traffic were siphoned through Russia for reasons that are still unknown. Any non-encrypted traffic was readable, at least in theory, by the Russian government. Suspicious? It was.

That’s where a security-focused DNS evolution — DNSSEC — is meant to help. It’s like DNS, but it protects requests end-to-end, from computer or mobile device to the web server of the site you’re trying to visit, by cryptographically signing the data so that it’s far tougher — if not impossible — to spoof.

But DNSSEC adoption is woefully low. Just three percent of websites in the Fortune 1000 sign their primary domains, largely because the domain owners can’t be bothered, but also because their DNS operators either don’t support it or charge exorbitant rates for the privilege.

Cloudflare now wants to do the hard work in setting those crucial DS records, a necessary component in setting up DNSSEC, for customers on a supported registrar. Traditionally, setting a DS record has been notoriously difficult, often because the registrars themselves can be problematic.

As of launch, Gandi will be the first registrar to support one-click DNSSEC setup, with more expected to follow.

The more registrars that support the move, the fewer barriers to a safer internet, the company argues. Right now, the company says that services that users should consider switching from providers don’t support DNSSEC and “let them know that was the reason for the switch.”

Just like HTTPS was slow to adopt over the years — but finally took off in 2015 — there’s hope that DNSSEC can follow the same fate. The more companies that adoption the technology will help end users be less vulnerable to DNS attacks on the internet.

And besides the hackers, who doesn’t want that?