Unnoticed, but important, things the federal government does

Do you care about the privacy of your personal data held by the federal government or do you want to engage in a secure transaction with a federal agency? Increasingly, that’s simply not going to be possible.

So many anecdotes of people who didn’t realize the government would (a) shut down, and (b) stay shut. I have a friend who couldn’t renew the documents that allow him to work in the US. He’s now hovering back home in Australia while his husband remains here. And how about those school lunches everybody? Do you have any concept of the number of children whose daily free lunch at school is their only meal? This is wrong.

These are all the federal HTTPS websites that’ll expire soon because of the US government shutdown

US-JUSTICE-POLITICS-COMPUTERS

We like to think of ourselves as nerds here at TechCrunch, which is why we’re bringing you this.

During the government shutdown, security experts noticed several federal websites were throwing back browser errors because the TLS certificate, which lights up your browser with “HTTPS” or flashes a padlock, had expired on many domains. And because so many federal workers have been sent home on unpaid leave — or worse, working without pay but trying to fill in for most of their furloughed department — expired certificates aren’t getting renewed. Renewing certificates doesn’t take much time or effort — sometimes just a click of a mouse. But some do cost money, and during a government shutdown, there isn’t any.

Depending on the security level, most websites will kick back browser errors. Some won’t let you in at all until the expired certificate is renewed.

We got thinking: How many of the major departments and agencies are at risk? We looked at the list of government domains (not including subdomains) from 18F, the government’s digital services unit, which updated the list just before the shutdown. Then we filtered out all the state domains, leaving just the domains of all federal agencies and the executive branch. We put all of those domains through a bash script that pulls information from the TLS certificate of each domain and returns its expiry value. Running that for a few hours in another bash script, we returned with a few thousand results.

In other words, we poked every certificate to see if it had expired — and, if not, when it would stop working.

Why does it matter? Above all else, it’s an inconvenience. Depending on how long this shutdown lasts, it won’t take long before some of the big federal sites might start throwing errors and locking users out. That could also affect third-party sites and apps that rely on those federal sites for data, such as through a developer API.

Security, however, is less of a factor, despite claims to the contrary. Eric Mill, a security expert who recently left 18F, the government’s digital agency, said that fears over expired certificates have been overblown.

“The security risk to users is actually very low, since trusting a recently expired cert doesn’t in and of itself allow traffic to be intercepted,” he said in a recent tweet. Mill also noted that there’s little automation across the agencies, leading to certificates expiring and eventual downtime — especially when sites and departments are understaffed, especially given that each federal agency and department is responsible for their own website.

There’s a silver lining. Any website that’s hosted on cloud.govsearch.gov or federalist.18f.gov won’t go down as they rely on Let’s Encrypt certificates that automatically renew every three months.

We’ve compiled the following list of domains that have and will expire during the period of the shutdown, from December 22 onwards — while removing dead links and defunct domains that no longer load. Some domains redirect to other domains that might have a certificate that expires next year, but the first domain will still fail on its expiry date.

Remember, if you see a domain that’s working past its expiry, check the certificate and it’s likely been renewed. If you see any errors, feel free to drop me an email.

In all, we’ve counted five expired federal domains already, 13 domains will expire by the end of the month and another 58 domains will expire by the end of February.

Expired:

Expiring in January:

Federal domains that will expire by mid-February

Federal domains that will expire by the end of February

All information was accurate as of January 17. Edited at 3:30pm ET by deleting citizenscience.gov and everykidinapark.gov as these are known to be domains with auto-renewing certificates.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s