There has been some minor news of late of a government shutdown in the USA. tl;dr something about a wall.
Now, you would think that fully automated systems would generally keep running (well, until the hydro bill comes due I guess). But interestingly we can see some certificates have expired. Lets check out e.g. the US DOJ. See how you cannot access this, you get a ‘NET::ERR_CERT_DATE_INVALID’? And there’s no ‘I know what I’m doing, let me in’ (note: if you do have this option you should upgrade your browser immediately).
So, what is happening, and why? First, well, the certificate expired on December 17th. Now, interestingly, technically this is before the shutdown started (Dec 22 was the magic date). So no particular excuse there.
Secondly, the site uses ‘HSTS’ (as it should). HSTS means ‘HTTP Strict Transport Security’. In a nutshell it means the site can only be accessed in a secure way. This should be true for all SSL/TLS sites. No exception. You don’t want to go to the trouble of making the site and then allow downgrading to ‘insecure’.
But, lets assume that somehow the government shutdown was the sole issue here (those missing 5 days between December 17 and 22 ignored). What would that mean? It would mean the lesson of ‘toil’ versus ‘work’ was not taken. What is that you say? They are the same? No.
‘toil’ might technically mean work, but, it usually implies drudgery. The type of thing we would get a machine to do if we could. Imagine the difference between a knowledge-based job (making decisions all day) and something clearly meant to waste your time (counting the number of dots on a ceiling tile).
Here you see someone should have made the certificate renewal automated. Let’s Encrypt has API’s for this. You run ‘certbot’, every week or so it checks if the certificate is *near* expired, and, if so, renews it. So why do we instead have a web site that probably has a sticky note on a monitor somewhere saying “remind me to renew certificate Dec 16”? That is toil versus work. If we reduce toil to 0 we have more time for work (value).
Interestingly, the doj.gov site is on the Chrome ‘Must HSTS’ list (*.usdoj.com is on the list). So this means that even if their developers forget on some site, Chrome has their back. There’s a lot of random things on that list, e.g. 1895dentalimplants.com… a ‘puget-sound local’ dental site that will, for $1895, get you dental implants. (I guess if inflation occurs they change the company name and register a new domain name?). Hmm. How is this list generated? Why are folks near seattle needing more secure dental implant sites than others? Inquiring minds.
What’s your favourite site on the ‘must encrypt’ hardcoded list? Is it this plumber from bratislava? This UK bouncy-castle rental?
Leave a Reply