Dozens more U.S. government websites have become inaccessible since last week, when Netcraft highlighted the impact of security certificates expiring during the federal shutdown.
As of today, more than 130 TLS certificates used by U.S. government websites have expired without being renewed. Some of these sites are now completely inaccessible in modern browsers due to their strict transport security policies.
The latest sites to be affected include some particularly prominent examples.
Take https://manufacturing.gov, for instance. While Trump is keen to highlight the performance of U.S. manufacturing during his administration, the shutdown has meant that nobody was available to renew the site’s TLS certificate when it expired on 14 January 2019. Consequently, https://manufacturing.gov is dead in the water, along with https://manufacturingusa.com which shares the same certificate.
Furthermore, as https://manufacturing.gov appears in Chromium’s HSTS preload list, visitors are unable to bypass the browser’s security warnings, rendering the site unreachable.
A White House subdomain at https://pages.mail.whitehouse.gov has also become unreachable. The certificate used by this site expired on 15 January 2019 and has not been renewed. This site is also covered by an effective preloaded HSTS policy.
Other notable websites to have been affected by expired certificates over the past five days include two FAA (Federal Aviation Authority) websites, a National Archives customer portal, the FFIEC (Federal Financial Institutions Examination Council) Anti-Money Laundering Infobase, several Department of Agriculture sites, and several governmental remote access services.
When the federal government restarts, the White House will need to renew its certificate for pages.mail.whitehouse.gov. The list price for a replacement DigiCert organisation validated certificate — similar to the expired one — could be up to $399 per year, or about 70 Big Macs.