Hackers can pocket sensitive personal data from citizens visiting hundreds of .gov websites because the shutdown has reduced technical maintenance, some security researchers say.
The vulnerability has to do with the way websites protect online forms submitted by users who are seeking government services. And the dangers could outlast the temporary furlough, said Robert Duncan, Internet services manager for security firm Netcraft.
"Partly as a consequence of the U.S. government shutdown, there are presently more than two hundred .gov websites using expired SSL certificates" -- coding denoted by a "HTTPS" link prefix that secures documents sent over the Internet, he wrote in a Wednesday blog post.
The government essentially is training citizens to ignore expired SSL warnings -- and once they acquire that habit, hackers are able to perform "man-in-the-middle attacks,” Duncan said. Such maneuvers invisibly transport users to fraudulent forms that look official but actually send submissions to the bad guys.
"Although the shutdown is expected to be a short term measure, the widespread use of expired certificates on .gov sites may cause long term harm," he said.
Some high-profile .gov sites don't even use the safeguard when the government is functioning normally, according to privacy groups.
"For all the criticism of HealthCare.gov, at least they use HTTPS by default, something the IRS and White House websites don't do," Christopher Soghoian, principal technologist for the American Civil Liberties Union, tweeted after the Obamacare healthcare exchange site suffered paralysis.
Hackers can swap out the government’s expired certificates by signing their own expired SSL certificates. The malicious SSL error message would be indistinguishable from the error message generated by the government’s expired SSL certificate, in some browsers.
"Citizens accustomed to seeing the 'expired' error message will happily proceed with a connection using the attacker's expired (and untrusted) certificate, unwittingly communicating with the attacker instead of the U.S. government," Duncan said.