We like to think of ourselves as nerds here at TechCrunch, which is why we’re bringing you this.
During the government shutdown, security experts noticed several federal websites were throwing back browser errors because the TLS certificate, which lights up your browser with “HTTPS” or flashes a padlock, had expired on many domains. And because so many federal workers have been sent home on unpaid leave — or worse, working without pay but trying to fill in for most of their furloughed department — expired certificates aren’t getting renewed. Renewing certificates doesn’t take much time or effort — sometimes just a click of a mouse. But some do cost money, and during a government shutdown, there isn’t any.
Depending on the security level, most websites will kick back browser errors. Some won’t let you in at all until the expired certificate is renewed.
We got thinking: How many of the major departments and agencies are at risk? We looked at the list of government domains (not including subdomains) from 18F, the government’s digital services unit, which updated the list just before the shutdown. Then we filtered out all the state domains, leaving just the domains of all federal agencies and the executive branch. We put all of those domains through a bash script that pulls information from the TLS certificate of each domain and returns its expiry value. Running that for a few hours in another bash script, we returned with a few thousand results.
In other words, we poked every certificate to see if it had expired — and, if not, when it would stop working.
Why does it matter? Above all else, it’s an inconvenience. Depending on how long this shutdown lasts, it won’t take long before some of the big federal sites might start throwing errors and locking users out. That could also affect third-party sites and apps that rely on those federal sites for data, such as through a developer API.
Security, however, is less of a factor, despite claims to the contrary. Eric Mill, a security expert who recently left 18F, the government’s digital agency, said that fears over expired certificates have been overblown.
“The security risk to users is actually very low, since trusting a recently expired cert doesn’t in and of itself allow traffic to be intercepted,” he said in a recent tweet. Mill also noted that there’s little automation across the agencies, leading to certificates expiring and eventual downtime — especially when sites and departments are understaffed, especially given that each federal agency and department is responsible for their own website.
There’s a silver lining. Any website that’s hosted on cloud.gov, search.gov or federalist.18f.gov won’t go down as they rely on Let’s Encrypt certificates that automatically renew every three months.
We’ve compiled the following list of domains that have and will expire during the period of the shutdown, from December 22 onwards — while removing dead links and defunct domains that no longer load. Some domains redirect to other domains that might have a certificate that expires next year, but the first domain will still fail on its expiry date.
Remember, if you see a domain that’s working past its expiry, check the certificate and it’s likely been renewed. If you see any errors, feel free to drop me an email.
In all, we’ve counted five expired federal domains already, 13 domains will expire by the end of the month and another 58 domains will expire by the end of February.
Expired:
- disasterhousing.gov — December 28
- landimaging.gov — January 3
- earthsystemprediction.gov — January 11 — the National Earth System Prediction Capability
- manufacturing.gov — January 14 — a portal highlighting national manufacturing initiatives.
- nationalhousinglocator.gov — January 16
Expiring in January:
- scidac.gov — January 23
- ginniemae.gov — January 23
- reportband.gov — January 23
- mojavedata.gov — January 26
- congressionaldirectory.gov — January 30 — a redirect to the directory of Congress
- congressionalrecord.gov — January 30 — another redirect to the congressional record
- fdsys.gov — January 30
- housecalendar.gov — January 30 — a redirect pointing hosting the House calendar
- presidentialdocuments.gov — January 30 — Compilation of Presidential Documents
- senatecalendar.gov — January 30 — a redirect to the Senate calendar
- uscode.gov — January 30
- donaciondeorganos.gov — January 30
- www.fishwatch.gov — January 30
Federal domains that will expire by mid-February
- ferc.gov — February 1 — Federal Energy Regulatory Commission
- askkaren.gov — February 1
- befoodsafe.gov — February 1 — a redirecting link to the Department of Agriculture
- foodsafetyjobs.gov — February 1
- isitdoneyet.gov — February 1
- pregunteleakaren.gov — February 1
- www.democraticleader.gov — February 2 — website of the House majority leader
- majorityleader.gov — February 2 — redirecting link to the House majority’s page
- www.democraticwhip.gov — February 2 — website of the Congressional Democratic whip
- majoritywhip.gov — February 2 — redirecting link to Democratic whip’s page
- llnl.gov — February 2 — Lawrence Livermore National Laboratory
- moneyfactory.gov — February 6
- federalregister.gov — February 7 — the Federal Register
- wlci.gov — February 7
- fedrooms.gov — February 10
- floodsmart.gov — February 10 — the National Flood Insurance Program
- www.casl.gov — February 11
- geoplatform.gov — February 12 — the U.S. Geospatial Platform
- fatherhood.gov — February 13
- eeoc.gov — February 13 — the Equal Employment Opportunity Commission
- www.faa.gov — February 13 — the Federal Aviation Administration
- grants.gov — February 15
- indianaffairs.gov — February 15 — Department of the Interior’s Indian Affairs bureau
- jusfc.gov — February 15
Federal domains that will expire by the end of February
- bia.gov — February 18 — another link to Indian Affairs
- presidentialinnovationfellows.gov — February 18
- usich.gov — February 18
- cdfifund.gov — February 18
- home.treasury.gov — February 18 — the end domain to the U.S. Treasury homepage
- financialstability.gov — February 18
- fsoc.gov — February 18
- irsauctions.gov — February 18
- irssales.gov — February 18
- makinghomeaffordable.gov — February 18
- mha.gov — February 18
- sigtarp.gov — February 18
- treas.gov — February 18
- ustreas.gov — February 18 — a redirect to the U.S. Treasury
- capnhq.gov — February 19 — another redirect link to the U.S. Treasury
- fdicseguro.gov — February 19
- sftool.gov — February 21
- nlm.gov — February 21 — the National Library of Medicine
- bea.gov — February 22
- opioids.gov — February 22 — the White House’s page on the opioids epidemic
- jamesmadison.gov — February 24
- usitc.gov — February 24 — the U.S. International Trade Commission
- arctic.gov — February 25
- inspire2serve.gov — February 26
- usaspending.gov — February 26
- sec.gov — February 26 — the Securities and Exchange Commission
- everytrycounts.gov — February 27
- abandonedmines.gov — February 27
- malwareinvestigator.gov — February 28 — the FBI’s malware analysis site
- va.gov — February 28 — Department of Veterans Affairs
- code.gov — February 28 — Code.gov for Sharing America’s Code
All information was accurate as of January 17. Edited at 3:30pm ET by deleting citizenscience.gov and everykidinapark.gov as these are known to be domains with auto-renewing certificates.
Cybersecurity 101: How to browse the web securely and privately