As the government shutdown drags on, a rising number of federal websites are falling into disrepair — making it harder for Americans to access online services and needlessly undermining their faith in the Internet’s security, experts warn.
In the past week, the number of outdated Web security certificates held by U.S. government agencies has exploded from about 80 to more than 130, according to Netcraft, an Internet security firm based in Britain.
Various online pages run by the White House, the Federal Aviation Administration, the National Archives and the Department of Agriculture appear to be affected by the latest round of expirations, Netcraft said.
The report follows revelations last week that Web pages run by NASA, the Justice Department and others have been affected by a lapse in security certification. The actual number of websites affected could be much higher than 130, said Paul Mutton, a Netcraft security consultant, as some certificates may have covered multiple pages under the same agency.
The expired certificates mean that most modern Web browsers, such as Google Chrome or Mozilla Firefox, will refuse to display the pages on request — instead showing a warning message that suggests the sites may have been compromised by hackers.
In reality, nothing has happened. But security practitioners say that in another sense, that is precisely the problem.
Just as in the private sector, staffers at government agencies are responsible for periodically renewing their sites’s Web certificates, which help to guarantee a secure connection between an Internet user and a site’s server. The encryption technology behind the certificates is what allows consumers to confidently transmit their credit card information, Social Security numbers and other sensitive data across the Web without fear of the data being intercepted and read by thieves and other criminals.
The certificates are designed to expire — some as frequently as every three months — to prevent a malicious actor from obtaining them and then impersonating a legitimate site. But it is rare for an expiration to last very long. In 2015, Instagram’s security certificate expired and was renewed barely an hour later “after the whole world noticed,” Mutton said. By contrast, he said, the certificate for https://www.disasterhousing.gov, a Web page maintained by the Department of Housing and Urban Development, has been expired since Dec. 28.
Some federal agencies appear to have implemented automatic renewals so that when a certificate expires, there is no interruption, said Matthew Prince, chief executive of the Internet security firm Cloudflare. But what is becoming apparent is that for a growing number of sites, there appear to be no personnel at work to handle manual renewals.
Prince said he has personally approached the Justice Department and NASA to sign them up for Cloudflare, whose services include automatic certificate renewals. But the shutdown has prevented federal officials from accepting the offer, even when it comes to Cloudflare’s free tier of security services.
“They’ve said ‘Thanks for the offer to help, but we don’t actually have anyone who is able to sign a new contract,’" Prince said. “Even agreeing to the terms of service is a contract. So they can’t even sign up for the free version of the service that would solve this problem.”
Security experts say the issue could have unintended consequences for Internet users of all skill levels.
Those lacking much experience with the Web could be confronted by the browser warnings and conclude — mistakenly — that the federal sites truly have been compromised, said Chris Vickery, director of cyber-risk research at the security firm UpGuard.
“It’s likely to be a very big, misunderstood situation,” Vickery said. “My grandmother, she communicates with friends and gets recipes online. If she went to a government website and saw a warning saying ‘This certificate is no good, it could be a bad guy’ — she would freeze up.”
At the same time, savvier Web users may try to circumvent the messages in the knowledge that the government sites are still safe. But, Vickery said, that could lead some consumers to take such warnings less seriously on the whole, undermining the efforts of Internet companies to enhance the safety of everyone on the Internet.
Website encryption has become a standard industry practice, with more than half of all sites now offering it to Web users, according to Prince. Analysts say much of the credit goes to Google, which was among the first to begin displaying browser warnings when Chrome users visited a site without a valid security certificate.
Google has also moved to rank sites without a valid certificate lower in its search results, Prince said, a decision aimed at inoculating the Web against less-secure websites by making them harder to find.
But that decision could now work against Americans when they search Google for federal sites that bear expired Web certificates.
“If the certificates aren’t valid, then the search engines won’t trust the content anymore,” Prince said.
Google said that while it does consider a site’s security certification as a factor in its ranking algorithm, it does not weigh very heavily and only after a long period of time would a site that lost its certificate receive noticeably different treatment by the search engine. In general, it said, users looking for a specific site, such as a government page, shouldn’t expect to see major changes in ranking simply due to the loss of a security certificate.
Correction: An earlier version of this story referenced reports that said the federal judiciary had been affected by a lapse in website security certification. The federal judiciary said that, in fact, none its websites have been affected.