Shutdown: Dot-gov websites vulnerable to cyberattacks, certificates expiring amid funding pause

mostlysignssomeportents:

“With around 400,000 federal employees currently
furloughed, more than 80 TLS certificates used by .gov websites have so
far expired without being renewed.”

Federal workers went without their paychecks Friday, as Trump’s
shutdown of the U.S. government continues for 21 days and counting. With
no end in sight, concerns are rising that dozens of U.S. government
websites have become insecure or completely unreachable, as their
transport layer security (TLS) certificates expire.

A Thursday report from Netcraft estimates that the .gov websites are using 80 or more expired TLS certificates.

Sites like NASA, the U.S. Department of Justice, and the Court of Appeals are affected.

Funding to renew the certificates is on hold while the shutdown continues.

Any of the government websites with an expired cert becomes newly
vulnerable to any number of internet-based assaults, including man-in
the-middle (MITM) attacks that enable third-party bad guys to intercept
what passes between an internet user and a web application on the
affected site. Bad guys can eavesdrop on traffic,  assume the identity
of the government website, and siphon off data input by the user.

What kind of data? Maybe your name, your social security or tax ID
number, a whole lot of people are going to be poking around on IRS dot
gov this month. This could get bad.

https://boingboing.net/2019/01/11/shutdown-dot-gov-websites-vul.html