Following a partial U.S. government shutdown caused by a deadlock on the issue of the Mexican border wall between the Democratic Party and Donald Trump, tens of government websites can no longer be accessed or have been marked as using insecure connections because their TLS certificates have not been renewed.

The websites of the U.S. Department of Justice, NASA, and the Court of Appeals are some of the ones hit by the government's failure to extend around 80 TLS certificates used on .gov domains.

.gov websites with expired certificates on the HSTS preload list now inaccessible

One of the websites affected by this mishap is Department of Justice's https://ows2.usdoj.gov/, which displays an error message warning visitors that the connection is not private or secure, depending on the used web browsers.

To make things worse, because ows2.usdoj.gov is also on Chromium's HTTP Strict Transport Security (HSTS) preload list, the website will not be accessible given that both Google Chrome and Mozilla Firefox will automatically hide the button allowing users to temporarily ignore the warning and open the website.

Expired ows2.usdoj.gov TLS certificate

Furthermore, seeing that most other web browsers also use their own HSTS preload lists based on the Chrome one, there is nothing users can do to load the .gov websites temporarily broken by the expired TLS certificates.

The government sites not on the HSTS preload list will open after users click on the 'Advanced" button at the end of the warning and choose to proceed, but there are risks involved in doing that.

As Yonathan Klijnsma, RiskIQ's Head Researcher told BleepingComputer in an e-mail interview when asked if the government websites with expired certificates could be classified as insecure:

The websites in itself because of the shutdown probably not perse just because we know that it's happening. The problem is that if something as simple as a certificate renewal becomes an issue during the shutdown what if something bigger happens? A vulnerability comes out and there’s no staff on hand to do anything about it, this is what I fear more than expired TLS certificates right now.

Furthermore, according to Terry Bishop, Director, EMEA Tech, RiskIQ:

I would classify those sites as being insecure. The system of certificates and certificate authorities has been built to ensure that visitors to websites can trust that those sites will encrypt their communications, if the certificates are not maintained correctly then you can not be sure your data is safe and therefore the sites should be considered insecure.

Expired certificates increase the risk of fraud and identity theft

According to GlobalSign, people who still choose to use websites with expired TLS certificates are exposed to:

Personal information at risk from man-in-the-middle attacks Individual susceptible to fraud and identity theft

"Until US Congress resumes services it is inevitable that we will see expired certificates and this example just goes to show how vulnerable organizations who are susceptible to shutdown can be" said GlobalSign’s Managing Director, Paul Tourret.

"As more and more certificates used by government websites inevitably expire over the following days, weeks — or maybe even months — there could be some realistic opportunities to undermine the security of all U.S. citizens," according to Netcraft's Paul Mutton who discovered the expired .gov TLS certificates and the issues they're causing.

Update: Removed the "insecure" term from the title to avoid confusion.

Update 2: Added quotes from Yonathan Klijnsma and Terry Bishop .