Over 130 government websites were broken in mid-January 2019. And that was only halfway through the U.S. government shutdown. This payday for malicious hackers was caused by expired SSL/TLS certificates. It’s a sloppy practice for our overall cybersecurity environment.
When certificates expire, end users (that’s you opening a government website) are vulnerable to “man-in-the-middle” (MIM) attacks. That’s when hackers stealthily direct visitors to download harmful software. It may be disguised as an everyday file, such as a PDF of an important document. Here’s a way to visualize how such an attack works, although a real MIM attack involves personal data:
I want to send you a private email so I ask for your public key. You send it. Because our SSL certificate expired, a malevolent stalker is able to intercept my message. Of course, we don’t know it. In my email, I asked you to pick me up from the hospital. I’d be wearing two eye patches. My stalker changes the message to say my appointment was canceled. As a result, I wait with bandaged eyes for an hour as the stalker watches. Like a hacker manipulating data, he’s taken control and altered the outcome to suit his goals.
Encryption and mutual authentication rely certificates, so won’t work when certificates expire. Government staff routinely click through red icon “expired” alerts. That practices is quickly normalized. Worse, browsers often don’t warn when two or more errors exist. Some browsers just show one error message. It can be a generic warning that doesn’t pinpoint the more serious error. Attackers can use this for their MIM attack. On some browsers you can’t tell the difference between a hacker’s expired SSL certificate for a government site from the real one. Users accustomed to seeing the “expired” error message will go ahead with a connection using the attacker’s expired (and untrusted) certificate. That’s how communicating with the attacker begins.
Given the daily and sophisticated threats to our wired infrastructure, government officials should ensure SSL certificates don’t expire, shutdown or not.