Some visitors to the White House website have reported seeing messages that carry some scary warnings. A message from Google Chrome warns: “Attackers might be trying to steal your information from messages.whitehouse.gov, for example passwords, messages or credit cards.”
Post staffers ran into similar messages on Microsoft's Edge browser, Apple's Safari and Mozilla's Firefox browser. Some Twitter users experienced the same thing:
— Brad Hoshaw (@bradhoshawmusic) January 22, 2017
Seeing that sort of language on your screen doesn’t exactly inspire confidence, to say the least. But, according to cybersecurity professionals, the messages don't seem to be prompted by an attack. In fact, the messages aren't obviously linked to anything nefarious at all; it’s likely due to a simple maintenance oversight.
The White House didn’t respond to a request for comment.
Experts told the Post that the messages are appearing because the site's security certificate — or, very simply put, the thing that verifies that a site is what it says it is — isn’t valid.
It appears the White House’s equipment isn’t configured correctly, and the old certificate was revoked or allowed to expire without getting replaced, said Kenneth White of the Open Crypto Audit project, a nonprofit dedicated to improving cybersecurity. There are perhaps hundreds of pieces of equipment and servers that need to be just right to keep the White House site up and running correctly, so it’s easy to miss something, he said.
“I want to dissuade any notion of this being cloak and dagger, or there being any sort of malicious intent,” White said. “This is almost certainly an innocent mistake.”
So that's the good news: there’s no indication there was a malicious attack. Nor does it appear to be tied to the recent transition of power at 1600 Pennsylvania Ave. According to White, records indicate the certificate was revoked by the company that issues certificates in May of 2016 — in other words, long before the Trump administration occupied its current offices. (A similar message appeared in 2015 on the same day the Obama administration held a cybersecurity summit.)
White suspects that people are seeing the updates more frequently now due to recent browser updates. Some browsers, including Chrome, have increased their own security measures regarding security certificates. That may explain why not everyone sees the same message, or people only see it in certain browsers.
The bad news is that this means at least parts — such as messages.whitehouse.gov — of the White House’s website aren't secure at the moment. A valid certificate is a guarantee of trust. Without that, visitors to the site lose their warning that something could actually be wrong. “With an invalid certificate, anyone can monitor your traffic, see what you’re reading even if you’re not logging in and see which pages [you're] spending time on,” said George Avetisov, chief executive of the cybersecurity firm HYPR Corp. He also said, if the most visible parts of the White House's site aren't being properly monitored, it also raises questions some of the more technical parts as well. In the meantime, has a piece of advice for everyone. “Don’t go to whitehouse.gov until they fix that certificate,” Avestisov said.
But Rob Graham, a cybersecurity expert and consultant at Errata Security, said that, in this specific case, visitors to the White House site aren't in danger and avoiding the site altogether would be a little extreme. "While this may be true in a general sense, I would dispute that in this case," he said. "Being invalid is not automatically the problem." He did, however, say it would be bad for people to get into the habit of ignoring the message, in case there were more serious problems with the site in the future.
Avestisov said that he hopes that an expected cybersecurity executive order from President Trump, which is likely to include provisions to encourage the government to adopt industry-standard security measures, will prevent mistakes like this.
“The root problem in the government is that they have a lot of legacy systems — there are places in the government that still run Windows XP, even though it’s not supported anymore,” he said. “And there is no unified approach to cybersecurity; each agency has their own home brew system.”
This post has been updated with comments from Robert Graham.