Skip to main content
banner image
venafi logo

More Than 80 TLS Certificates Used by .Gov Websites Have Expired amidst Ongoing U.S. Government Shutdown

More Than 80 TLS Certificates Used by .Gov Websites Have Expired amidst Ongoing U.S. Government Shutdown

expired TLS certificates government shutdown
January 11, 2019 | David Bisson

More than 80 TLS certificates used by .gov websites have expired amidst the ongoing shutdown of the U.S. federal government.

According to Netcraft, web browsers are warning visitors to dozens of government websites that their connections are no longer secure. Most of these alert messages are the result of expired TLS certificates. Google Chrome said as much to a visitor of a U.S. Court of Appeals website that provides links to a document filing system and PACER (Public Access to Court Electronic Records), as seen in the screenshot below. Chrome listed the connection as insecure because the website’s Digicert certificate expired on 5 January 2019 and has yet to be renewed.

How prevalent are certificate related outages due to an expired certificate? We asked. 


Source: Netcraft

Clearly, the visitor can still access the U.S. Court of Appeals website. Users should think twice before ignoring their web browsers’ warnings, however. If they do, they could expose themselves to man-in-the-middle (MitM) attacks.

“The US shutdown has now left a mark on the digital world. Several government websites, such as the DoD, now greet users with a "CERT_DATE_INVALID" warning in place of the website itself. At best, this isn’t a good look for the government departments concerned,” cautions Martin Thorpe, Enterprise Architect for Venafi. “At worst, the thousands of Americans who rely on these websites are left cut off from the services they need.”

It’s a different story with other government websites that have recently suffered a certificate outage. Just look at what Chrome showed to a visitor of, a U.S. Department of Justice website whose digital certificate expired on 17 December 2018:

Source: Netcraft

What’s causing this difference of display as compared to the U.S. Court of Appeals website? Netcraft provides the answer in a blog post:

In a twist of fate, the domain — and all of its subdomains — are included in Chromium's HSTS preload list. This is a prudent security measure which forces modern browsers to only use secure, encrypted protocols when accessing the U.S. DoJ websites; however, it will also prevent users from visiting the HTTPS sites when an expired certificate is encountered. In these cases, modern browsers like Google Chrome and Mozilla Firefox deliberately hide the advanced option that would let the user bypass the warning and continue through to the site.

As a result, users can’t enter the site and leverage it to access crucial information related to the Justice Department.

The exact cause of these outages isn’t known. Even so, many in the information security community reason that the ongoing federal shutdown has something to do with them.

Regardless of their cause, outages remain a serious challenge for any organization, let alone a government body. Venafi’s Martin Thorpe notes, “The reality is that many organizations struggle to prevent website outages at the best of times, overlooking the importance of certificates. These certificates provide every machine—whether it’s a website, application or device, with an identity. Without them, machines can’t trust each other when they communicate. Regardless of how reputable the DoJ and other government departments may be, the expiry of their online identity means that every major browser just can’t trust them.”

The heart of this shutdown is a conflict between President Donald Trump and Democrats on funding for border security. As reported by The Washington Post, the former wants $5.7 billion to build more than 200 miles of a new wall along the U.S.-Mexican border, while the latter is refusing to give the President more than $1.3 billion to fund existing border security measures.

There’s no sign of either side relenting on their position. Reflecting his refusal to compromise with Democrats, President Trump said that the shutdown could last “months, even years.” This spells trouble for the 800,000 federal employees either furloughed or left to work without pay as a result of the shutdown.

The federal shutdown is an extenuating circumstance, to be sure. But it’s not uncommon for a website (or cellular service in 11 countries) to go down as a result of an expired certificate. That’s why organizations need a comprehensive platform that can automatically monitor their certificates for weaknesses and upcoming expiration.

“Any organization can prevent website outages by managing their certificates properly” notes Thorpe, “But as with so many other aspects of the government shutdown, these concerns have been swept under the rug.”

Learn more about machine identity management. Explore now. 


Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more