When I think of .GOV domain names, I usually think of a government website (which is what .GOV is used for) and expect the highest-level of security available. For the most part this assumption has been true, but that seems to be changing. Here’s what’s going on.
You’ve probably heard of SSL Certificates right? That’s what provides that nice safe lock icon and starts with https rather than plain old http. Well, there’s also something called a TSL Certificates. TSL is another cryptographic protocol for authentication and data security (geek talk for “something that keeps your data safe”), and actually came out after SSL and was touted as the next generation of security.
So it wouldn’t be surprising to hear that the government uses TSL Certificates on their site, but what might surprise you is that about 80 of those have expired as a result of the government shutdown. This means that suddenly, 80 government sites will become less secure than ever before, or in many cases, just stop working completely.
With around 400,000 federal employees currently furloughed, more than 80 TLS certificates used by .gov websites have so far expired without being renewed. To compound the situation, some of these abandoned websites can no longer be accessed due to strict security measures that were implemented long before the shutdown started. (Source – Netcraft)
And what happens if you don’t have SSL or TSL on a site? Security expert Paul Mutton explains that,
“This introduces some realistic security concerns, as task-oriented users are more likely to ignore these security warnings, and will therefore render themselves vulnerable to man-in-the-middle attacks.” (Source – OODALoop)
It’s likely that this problem will only grow as the shutdown continues, which means that for now .GOV has suddenly become one of the least secure domain extensions out there.