By Richard Arneson
As the government shutdown enters its fourth (4th) week, which marks the longest of its kind in U.S. history, the list of ill effects left in its wake now includes IT security. Yay! Like the impasse between the Trump administration and Democrats that’s at the heart of the shutdown—the border wall—this aftershock also includes a wall. This one (1), however, comes in the form of a digitally-encrypted wall—TLS (Transport Layer Security) certificates.
TLS certificates, like SSL certificates, are utilized by websites to secure connections between users accessing them. For all intents and purposes, TLS is basically the 2.0 version of SSL. Web servers that have installed TLS certificates display their web address with that all important “S” after “HTTP”. Yes, the “S” stands for secure; it means a cryptographic key has been binded to the website, so communications between it and users are encrypted.
So, what does this have to do with the government shutdown?
It’s reported that as many as eighty (80) government websites—those with a .gov domain name—are no longer TLS-protected. Their certificates have expired. And furloughed government IT workers means there’s nobody to renew the certificates. So, trying to access one (1) of these unprotected websites will net you this message—Your connection is not private. As a result, users won’t be able to enter the site. Frustrating, yes, but at least they’ll be kept safe by being prevented from entering. However, in several browsers the warning can be bypassed, which means any sensitive information entered, such as social security numbers, won’t be encrypted. If more advanced and adventurous users decide to take this route, they could open themselves up to man-in-the-middle attacks, in which cyber criminals eavesdrop on conversations in the name of ill-gotten gains.
Naturally, the longer the shutdown, the more sites will be affected. In just over three (3) weeks, eighty (80) certificates have expired. And those eighty (80) sites represent only two percent (2%) of all federal .gov sites. Yikes.
To find out how to secure your organization’s network and mission critical data, contact GDT’s tenured and talented engineers and security analysts at SOC@GDT.com. From their Security and Network Operations Centers, they manage, monitor and protect the networks of companies of all sizes, including those for some of the most notable enterprises, service providers, healthcare organizations and government agencies in the world. They’d love to hear from you.