Government shutdown and expired certificates: How to prevent similar outages
Many experts are questioning the security implications of the U.S. federal government shutdown. After all, limited staffing means limited monitoring and limited offensive maneuvering. Case in point: News broke recently that more than 80 TLS certificates used by .gov websites have expired amidst the ongoing shutdown of the U.S. federal government. Certificate expirations are symptomatic of weaknesses in machine identity protection.
According to Netcraft, web browsers are warning visitors to dozens of government websites that their connections are no longer secure. Most of these alert messages are the result of expired TLS certificates. Google Chrome said as much to a visitor of a U.S. Court of Appeals website that provides links to a document filing system and PACER (Public Access to Court Electronic Records), as seen in the screenshot below. Chrome listed the connection as insecure because the website’s Digicert certificate expired on Jan. 5 and has yet to be renewed.
Source: Netcraft
Clearly, the visitor can still access the U.S. Court of Appeals website. Users should think twice before ignoring their web browsers’ warnings, however. If they do, they could expose themselves to man-in-the-middle (MitM) attacks.
It’s a different story with other government websites that have recently suffered a certificate outage. Just look at what Chrome showed to a visitor of https://ows2.usdoj.gov, a U.S. Department of Justice website whose digital certificate expired on Dec. 17, 2018:
Source: Netcraft
What’s causing this difference of display as compared to the U.S. Court of Appeals website? Netcraft provides the answer in a blog post:
In a twist of fate, the usdoj.gov domain — and all of its subdomains — are included in Chromium's HSTS preload list. This is a prudent security measure which forces modern browsers to only use secure, encrypted protocols when accessing the U.S. DoJ websites; however, it will also prevent users from visiting the HTTPS sites when an expired certificate is encountered. In these cases, modern browsers like Google Chrome and Mozilla Firefox deliberately hide the advanced option that would let the user bypass the warning and continue through to the site.
As a result, users can’t enter the site and leverage it to access crucial information related to the Justice Department.
The exact cause of these outages isn’t known. Even so, many in the information security community reason that the ongoing federal shutdown has something to do with them.
Regardless of their cause, outages remain a serious challenge for any organization, let alone a government body.
As Martin Thorpe, Enterprise Architect for Venafi, notes: “The reality is that many organizations struggle to prevent website outages at the best of times, overlooking the importance of certificates. These certificates provide every machine—whether it’s a website, application or device, with an identity. Without them, machines can’t trust each other when they communicate. Regardless of how reputable the DoJ and other government departments may be, the expiry of their online identity means that every major browser just can’t trust them.”
The heart of this shutdown is a conflict between President Donald Trump and Democrats on funding for border security. As reported by The Washington Post, the former wants $5.7 billion to build more than 200 miles of a new wall along the U.S.-Mexican border, while the latter is refusing to give the President more than $1.3 billion to fund existing border security measures.
There’s no sign of either side relenting on their position. Reflecting his refusal to compromise with Democrats, President Trump said that the shutdown could last “months, even years.” This spells trouble for the 800,000 federal employees either furloughed or left to work without pay as a result of the shutdown.
“Any organization can prevent website outages by managing their certificates properly” notes Thorpe, “But as with so many other aspects of the government shutdown, these concerns have been swept under the rug.”
The federal shutdown is an extenuating circumstance. However, it’s not uncommon for websites to go down as a result of expired certificates. This issue is widespread. According to a study, 79 percent of organizations have suffered at least one outage in 2016.
Here’s what federal agencies can learn from the industry at large. To eliminate the risk of outages, organizations need a comprehensive platform that can automatically monitor their certificates for weaknesses and upcoming expiration. To automatically replace certificates that are about to expire, organizations need to be able to discover, track and continuously monitor all their certificates in real time across.
To avoid an application shutdown in your organization, here are five steps you should consider taking:
- Discover all certificates. Choose a discovery tool that lets you look across your entire extended network—including cloud and virtual instances, and CA implementations. This will help you locate every certificate that can impact the reliability and availability of your organization’s critical infrastructure.
- Create a complete inventory. Catalog your entire inventory of certificates and store it in a centralized repository where you can track and manage the status of all certificates. This makes it easy to rotate your certificates before they expire.
- Verify security compliance. Investigate certificate properties to ensure that certificates have proper owners, attributes and configurations so all certificates fall into line with your organization’s regular cadence of renewals
- Continuously monitor certificates. Conduct non-stop surveillance of all certificates so that you’ll know immediately when something isn’t right. This is the most efficient way to keep tabs on renewal requirements, as well as misuse.
- Automate renewals. Eliminate the risk of human error by automating certificate renewals, allowing you to install, configure and validate certificates in seconds. You’ll not only improve availability, but you’ll also be able to do it in a fraction of the staff hours previously required (or if you’re caught in the middle of a shutdown).
Ultimately, when one certificate slips through the cracks, it indicates a lack of control. Given the sensitive nature of keys and certificates, it’s critical that organizations treat them wisely and with respect. With the proper solution, you won’t be caught off guard in the event of an extenuating circumstance, such as a government shutdown.
About the Author:
Scott Carter is Senior Manager – U.S. for Venafi, the cyber security market leader in machine identity protection, securing machine-to-machine connections and communications.