
Federal HTTPS domains that'll expire soon because of US government shutdown - jmsflknr
https://techcrunch.com/2019/01/17/federal-https-domains-expire-government-shutdown/
======
nimbius
Disclosure: im a full-time diesel engine mechanic.

my shop was due for a round of vessel inspections for our waste and fresh oil
holding tanks last friday, but, no EPA. Without these inspections we can not
technically order new oil or have oil recycled, because the EPA signoff is
required as part of cradle-to-grave handling of hazmat substances.

so how do we get around it? we now have half our back parking lot filled with
55 gallon drums of waste byproduct from engine work, which can be shipped
without an EPA cert to recyclers. This is also outright illegal if it gets big
enough, but we've been declaring it as required by the EPA. since we cant
schedule a formal review of that either, we confirm the storage with their
hotline for doing so, and since thats not staffed and the voicemail box is
full, I have been mailing Kodak pictures and printed descriptions of the
storage.

our full-site inspection is due feb 2nd...without it, the federal government
(if it were running) would cite us for a flagrant violation and shut us down.
The guy who does that inspection called us and confirmed hes quitting to work
for...of all places...the company that recycles our oil.

~~~
slg
>The guy who does that inspection called us and confirmed hes quitting to work
for...of all places...the company that recycles our oil.

This type of thing is one part of the story that not enough people are
focusing on regarding the shutdown. How many people are going to come back to
these jobs once the shutdown inevitably does end? Odds are these
"nonessential" government departments will be crippled for years by the loss
of both experience and manpower.

~~~
wwweston
One of the things that needs to be understood is that _this is intentional_.

The Grover Norquist "drown it in a bathtub" contingent of the Republican party
is large, influential, and for them, this is not at all unfortunate collateral
damage in pursuit of The Wall or something. The crippling of public
institutions (if not outright dissolution) is part and parcel with the
ideology.

And that's even if you don't believe that the executive branch may have been
compromised by a foreign power interested in weakening and destabilizing the
United States.

~~~
ryandrake
On the other hand, I think we are finding out how “essential” some of these
institutions really are. During this shutdown, besides these workers
unfortunately not being able to work and get paid, normal life is still going
on. _Actual_ essential things are still happening. Armageddon is not
happening. Sure, forms are not getting stamped in triplicate, and inspectors
are no longer inspecting inspectors, but these are “paper and ink” problems.

As a taxpayer, I see that life is still going on while these jobs are not
getting done and I might eventually ask, do these jobs even need to exist?
What about my life changes if that stack of papers no longer gets stamped and
moved into another stack?

~~~
slg
The comment that started this thread mentioned how the shutdown is creating an
environmental ticking time bomb in back of their shop. Just because you
personally don't immediately feel the repercussions of the shutdown doesn't
mean those repercussions don't exist.

~~~
rudedogg
I think their point was that the ticking time bomb is only caused by
regulations, which they can no longer comply with. The situation would be
better for them if they could just get the oil recycled from their typical
tank, but they need approval for that, so they are falling back to using drums
in the parking lot.

I doubt any of us trust companies to do the right thing most of the time, but
I think we all agree some regulations are dumb, and a loss for everyone except
the people whose jobs depend on them.

For clarity, I have no idea if the tank inspection is a dumb regulation. And I
realize without the regulations, they'd probably be dumping the oil behind the
shop somewhere which we obviously don't want.

~~~
ryandrake
Exactly. OP physically can get their oil recycled. The only reason they are
not doing it is because the law requires an inspector to come and inspect and
tick a checkbox. Without that requirement, there would be no ticking time-
bomb. They could just recycle the oil, buy new supplies, and life could go on.

Same for the TSA. If the TSA disappeared overnight, we’d just get on airplanes
and fly to our destinations like we did before they came around. We have long
lines not because there are fewer agents, but because the law says an agent
must process you and there are few agents.

~~~
brewdad
The reason that person needs to come tick that checkbox is because less
ethical businesses have shown time and again that they will dump the oil
wherever is cheapest/easiest if there is no oversight.

Same with TSA. While they aren't perfect, we don't have bimonthly hijackings
like we did 40-50 years ago.

~~~
freedomben
You realize TSA didn't even exist until George W. Bush in 2001. It's also not
unheard of for TSA to screw up[1]. I'd also be very interested in where your
data of "bimonthly hijackings" comes from.

[1] [https://www.nbcnews.com/nightly-news/video/atlanta-tsa-
offic...](https://www.nbcnews.com/nightly-news/video/atlanta-tsa-officers-
fired-after-passenger-took-gun-onboard-flight-to-tokyo-1425774659803)

~~~
slg
The US had a huge number of hijackings in the late 60s through early 70s [1].
There has not been a single hijacking or terrorism related death on a
commercial airliner in the US since the TSA was created. The TSA doesn't
deserve all the credit there as other post-9/11 security changes were
implemented at the same time, but you can't just hand wave away their role in
that unprecedented streak of safety.

[1] - [https://www.wired.com/2013/06/love-and-terror-in-the-
golden-...](https://www.wired.com/2013/06/love-and-terror-in-the-golden-age-
of-hijacking/)

~~~
dragonwriter
> The US had a huge number of hijackings in the late 60s through early 70s
> [1].

And very few after that (two in the 1980s, with a couple attempts in the 1989s
and 1990s) because of the first round of airport security rules adopted
immediately in the wake of those and the tightening permanently applied during
the 1990 Gulf Crisis.

> The TSA doesn't deserve all the credit there as other post-9/11 security
> changes were implemented at the same time, but you can't just hand wave away
> their role in that unprecedented streak of safety.

It's not significantly different that the period before 9/11, so it's not
clear they the TSA and other post-9/11 actions deserve _any_ credit, and
calling it an unprecedented streak of safety is hyperbolic.

~~~
slg
You are correct that the TSA didn't invent airport security screenings, but
they took them over, improved, and standardized them. They certainly aren't
perfect but they have yet to have the type of catastrophic failures that
occasionally happened before the TSA existed.

>It's not significantly different that the period before 9/11, so it's not
clear they the TSA and other post-9/11 actions deserve any credit, and calling
it an unprecedented streak of safety is hyperbolic.

First off, you can't just pretend like 9/11 doesn't count in pre-TSA security
stats. Four planes were hijacked within an hour of each other on 9/11 and zero
have been hijacked in the last 17+ years? Those rates seem significantly
different to me. Also can you find any stretch of US history in which
commercial airliners have flown close to as many miles as they have over the
last 17+ years in which there wasn't a hijacking? Unprecedented seems like a
perfectly fine word to describe that streak.

~~~
dragonwriter
> First off, you can't just pretend like 9/11 doesn't count in pre-TSA
> security stats. Four planes were hijacked within an hour of each other on
> 9/11 and zero have been hijacked in the last 17+ years?

Prior to 9/11, there were 14 years with no US hijackings (failed attempts are
a different story) and 27 with no deaths on a commercial aircraft due to a
hijacking. 17 years with neither hijackings nor hijacking related deaths is
not a clear improvement that calls for credit anywhere. Since the 1980s,
hijacking events have been so rare that it would take many decades under a
give policy regime before and after a policy change before you couls have even
remote statistical confidence that my quiet period

Really, since at least the 1980s, hijacking is so rare that it would take an
extraordinarily long time to have even remote confidence that there was an
increase in safety, much less of assigning a specific cause to it.

And, on assigning cause, if there was a reduction in hijackings post-9/11,
well, there's a pretty good reason to think that al-Qaeda and the passengers
of Flight 93 jointly might be responsible without any government policy as an
intermediate cause.

Hijacking became something passengers would no longer be likely to accept as a
“cooperate and noone gets hurt” event, which rendered it pointless as almost
anyone has ever used it (even as al-Qaeda used it on 9/11, which while it
doesn't factually fit that model clearly required for effect that people
_believed_ that it did.)

------
femto113
I really wish browsers would deemphasize certificate expiry as a problem (say
to just an ! on the lock icon)--it is literally meaningless from a
cryptographic security perspective. I also think it is misleading users about
the usefulness of certificates, since neither browsers nor certificate vendors
track or report things that do meaningfully impact security, e.g. if the
company that originally bought the certificate was sold to EvilCorp or the
server has been compromised by hackers.

~~~
kakarot
> it is literally meaningless from a cryptographic security perspective.

Care to elaborate?

~~~
femto113
A certificate is essentially a cryptographic key that one entity (the
"issuer") asserts was issued to some other entity (the "subject"). Whether
that assertion is true now, was true a day ago, or was never true does not
affect the strength or usefulness of that key for cryptography. Other
attributes of the key, like its bit length, do matter, but when it was issued
and when it "expires" absolutely do not.

I find this misleading because the implied value of the certificate to the end
user, that "you can be sure you are talking to the entity you think you are
talking to and nobody else", is not really what the issuer is promising.
They're just saying something like "we verified the company that bought this
really is named XYZ". They are NOT saying that "the entity that operates the
server you're communicating with is under the control of XYZ corp". It's
entirely possible for a certificate to be sold to XYZ corp, which emails the
certificate to a IT consultant, which FTPs it to a Word Press hosting company
that deploys it to a server run by a cohosting company where it's used to
market services that are fulfilled by independent contractors. The issuer
doesn't touch on anything beyond the first step in that chain but the
browser's freaking out and going full red screen the second the certificate
"expires" might make you think that it does.

~~~
femto113
A specific example--right now on disasterhousing.gov I get this message in
Chrome

    
    
       Your connection is not private
    
       Attackers might be trying to steal your information ...
    
       This server could not prove that it is disasterhousing.gov;
       its security certificate expired 21 days ago. This may be caused
       by a misconfiguration or an attacker intercepting your connection.
    

The first statement is extremely misleading, your connection is as "private"
as it ever was, since the cryptography still works and the issuer never
validated the end-to-end privacy of your information server in any way. That
last statement is so misleading as to be mostly just wrong. 100% of expired
certificate problems in my experience are due to an organization failing to
renew because of inattention ("Bob bought the certificate 2 years ago and used
an email he set up on gmail because we didn't have our own mail server back
then but we do now and so no one ever looks at that email so we never saw the
renewal notice"). I am not aware of any attack on SSL that leverages a
certificate that is valid in every way except that it has expired, other than
the possibility that an old certificate fell into the attacker's hands.
However it is also entirely possible for an unexpired certificate to fall into
attackers' hands, and because unexpired certificates are more valuable it is
more likely that is what attackers actually will steal (or forge).

I think users would be better served if certificate expiration was a more
subtle warning, that perhaps slowly increases its panic-inducing-messaging
over long time frames.

------
tomohawk
Automated renewal with letsencrypt is a thing. Blaming this on the shutdown
rather than on not taking appropriate care to do this more robustly? Meh.

~~~
CydeWeys
Automated renewal only works so long as your servers doing said renewal
continue working. This is by no means guaranteed.

How long do you think the average company's IT infrastructure would continue
working if all employees instantly dropped dead? With no one to respond to any
issues that crop up, and nothing that isn't 100% automated happening at all?

~~~
belorn
I have been using lets encrypt now for about a year for about a hundred
domains, and I never had to do a manual renewal.

The biggest benefit of lets encrypt for companies is not the price. Having
someone responsible for renewal, getting the bills through the billing system
and approved, getting it installed. All those steps involve employees that
could be spending their time on something more important. If any part of the
chain fail there will also be a massive fallout which can be very costly.
Automated renewal changes all this to a initial cost during construction of
the service, usually during the per-production phase.

My concern would not be about the automated renewal if all employees instantly
dropped dead. Sooner or later a service will hang, some resources exhausted,
and things stop to work.

~~~
craftyguy
> I have been using lets encrypt now for about a year for about a hundred
> domains, and I never had to do a manual renewal.

One data point does not make a very useful statistic, and most definitely does
not make a meaningful statistic for making decisions about production systems.

~~~
belorn
That is fair but then we also do not have multiple data points in a formal
study to say that you will need manual renewals.

I personally find anecdotal information useful from people who work
professionally on it when there is no other information available. I find the
top comment in this thread interesting even if its just a single data point
from a diesel engine mechanic.

------
smsm42
manufacturing.gov has 1-year cert ending on Jan 14. Why didn't they create a
new one in November 2018? It's not like Jan 14 coming is any kind of surprise.
I can understand where snowfall takes a city by surprise - after all, it's
hard to predict when exactly the snow would fall. But it's kinda easy to
predict when January 14th would happen. Why didn't they prepare?

I'm not even saying why they don't have .gov CA with auto-renewal
infrastructure - that'd be too much to ask. But at least some foresight?

~~~
Symbiote
Minor inconveniences like this should reduce support for the government
shutdown.

Also, isn't this the longest ever?

------
choward
Misleading title. I thought the domains were expiring and was wondering what
that had to do with HTTPS. Their SSL certificates are expiring, not the
domains.

------
flukus
Maybe designing things to break periodically without intervention wasn't such
a good idea.

------
Karunamon
Wee bit misleading - this is about cert expiration, not domain expiration.

~~~
jessriedel
Not just misleading, literally wrong based on the plain meaning of the words.

------
smaslennikov
My favourite part is that some of these sites are effectively blocked by
chrome due to HSTS (e.g. manufacturing.gov), which renders them unusable for
most.

------
rebuilder
I'm not seeing a lot of sites that actually handle private data for the
majority of users.

------
belorn
I would be much more interested in domain names that will expire. If funding
is stopped one would guess that domain registrars might start allowing some
names to expire, which then anyone can try to catch.

~~~
jacoblsievers
I doubt that "anyone" can grab a .gov address.

~~~
belorn
I was more considering all the multitude of other domain names. Just like
companies, government agencies and departments tend to have a lot of domains
spread out on multiple registrars, tld's, and for many different reasons. It
can be to cover misspellings, one-time projects, awareness campaign, and so
on.

------
peterwwillis
Taking this opportunity to again expound about how not all websites need
HTTPS:

First, most of these are basically info portals. Nobody is trying to steal or
corrupt the data points for the fiscal budget expenditures this year, or the
report on residential heating in remote arctic villages. In addition, none of
the data is secret or private. So the data doesn't need to be protected.

The other reason people say everything needs HTTPS is not data security, but
attacks on the client. If you use HTTP, someone can subvert the packets to
inject malware into your client, etc. But this would be impossible if the
browsers had methods to cryptographically verify the data's integrity without
needing to keep it private. In other words a checksum, possibly even out-of-
bound. This can be done securely and without the need to constantly expire and
re-issue a certificate, and it also enables several useful technologies which
require inspection and passing of data content in different scenarios.

Finally, the increased dependence on encryption for all communication makes
our communication more fragile, and this is a great example. In the future, if
everything uses https, and certs expire, either most of the content of the web
will expire, or if we allow clients and tools to not verify certificates, we
undermine the purpose of the certificates to begin with. Let's Encrypt cron
jobs will not work forever (if you don't upgrade, eventually the crypto you
were using for your cert will become obsolete), network operations can be
attacked to prevent re-signing, not every domain has a server that runs cron
jobs, there's no guarantee Let's Encrypt will be around forever, and it may
not work in non-US countries.

Unrelated, but I also think expiring certificates can be worked around. They
force you to expire and re-sign them because they could get cracked or (less
likely) the private key could leak. But certificates can also be revoked at
any time. As far as I can tell, it's not possible to tell if a certificate has
been revoked if an attacker doesn't want you to be able to tell, since PKI has
to work offline. So you could be getting pwned all the way up to the cert
expiring. Instead, we could simply expire certificates _when we want to rotate
them_ , rather than letting them auto-die and catch unaware admins with their
pants around their ankles.

Some people say we need to get rid of PKI, but I don't think that's a good
idea. Rather than throw the baby out with the bath water, let's improve the
baby. That goes for the registrars, CAs and DNS, too. (The way cert signing
happens today is, I think, a bit of a joke, and registrars need to play a more
key role)

------
aboutruby
isitdoneyet.gov Really?

~~~
givehimagun
Looks like its a food safety website from the USDA recommending cooking
temperatures. Is It Done Yet makes sense.

~~~
rhacker
Well, except that it doesn't make sense for them to actually have a domain for
it. The domain does a 301 directly to a page within the usda.gov site. The
domain itself doesn't even come up on a search for isitdoneyet, instead just
the forwarded page does. So no, while the content is useful, having a separate
domain and SSL certificate, really isn't useful.

~~~
naniwaduni
You can print "isitdoneyet.gov" on a PSA poster (like, on paper) and have
people be able to type that into their browser.
[https://www.fsis.usda.gov/wps/portal/fsis/topics/food-
safety...](https://www.fsis.usda.gov/wps/portal/fsis/topics/food-safety-
education/teach-others/fsis-educational-campaigns/is-it-done-yet) not so much.

An extra domain and a cert are essentially costless if you're managing more
than a handful already, so what's the probem?

------
NicoJuicy
I know that political subject are not wanted.

But I have never seen the return between the wall, Trump and his real estate
mentioned.

Is it plausibel that he wants a shutdown, so he can earn more money by
building a wall?

------
woofcat
Is techcrunch.com now for people who are hard of sight? That's a massive font.

~~~
maccio92
well most technies in silicon valley are painfully short-sighted

------
daebersold
Nevermind it would have taken 2 seconds to setup a cron job to autorenew their
SSLs. Typical government.

~~~
Karunamon
Assuming they were using best practices and something like LetsEncrypt
(unlikely) or even a larger outfit that implements ACME (do those even exist
yet?).

No, more likely, there's a sysadmin somewhere that's furloughed, has the
reminders in his inbox, and has to kick off an arduous procurement process
involving three layers of bureaucratic horseshit involving five signoffs each,
and at least a 60 day window before Verisign nee Symantec gets paid an
exhorbitant amount of money and issues the all important bit of code.

No doubt this is exaggerated, but I firmly believe that government/large
enterprise procurement is one of the levels of hell. Take something that
should be a simple, five minute process and stack layers upon layers of
nonsense on top.

------
fareesh
The US government shutdowns of the past have seemed like political posturing
over budgets, but this time the situation seems genuinely important - I have
read so much about the gangs and violence and trafficking that is taking place
in the border region. It's surprising that your politicians are able to take a
genuine issue like this and turn it into a political one. It's also surprising
that common people want the border to be unprotected. What sense does it make?

~~~
asdff
What you've been reading has been a gross mischaracterization on the issues.
Less than one half of one percent of border patrol agents surveyed by the
Senate Homeland Security committee want a wall (1), and that's because a wall
won't change the situation. It is well known that the overwhelming majority of
illegal immigrants arrived by legal means through a port of entry and
overstayed their visa. It is also well known that immigrant populations in the
united states commit less crime per capita than native born populations. The
whole idea of the wall has been around since Mexico declared independence from
Spain, and has long been rooted in racism and fear, not fact or data (2)

1\. [https://www.nytimes.com/2019/01/05/us/politics/donald-
trump-...](https://www.nytimes.com/2019/01/05/us/politics/donald-trump-border-
wall.html?emc=edit_th_190106&nl=todaysheadlines&nlid=879446810106)

2\. [https://www.sandiegouniontribune.com/news/nation-world/ct-
me...](https://www.sandiegouniontribune.com/news/nation-world/ct-mexico-
border-wall-history-20190110-story.html#nws=mcnewsletter)

~~~
tropo
That's a conflict of interest if there ever were one. If you are paid to catch
violators, you want more violators.

Also, you're conflating "illegal immigrants" with "immigrant populations".
When mentioning crime, you suddenly switch to discussing a group of people who
have patiently followed the immigration law and paid all the fees.

~~~
asdff
Think about the mechanics of how a wall might even work, the logic isn't
really there to even invest in it. The only way a wall would be a practical
deterrent would be if someone didn't even know it was there. One rope and you
are on the other side. You'd still need border patrol to monitor the wall just
like if there wasn't one. On top of that, the landscape is wide. Wouldn't it
be far far cheaper to just fly a drone, maybe even with AI, and scan miles of
desert at a time for anything that isn't miles of desert, and have a border
patrol agent show up with a pickup truck? Because wall or not, you are gonna
have to fly a drone or have that same border patrol agent cover the same area
anyway to see if there's anyone crossing that stretch of desert to begin with.

For illegal immigrants vs. native born population, it still holds true that
the immigrant population has a lower crime rate (1).

1\.
[https://www.nytimes.com/interactive/2019/01/11/us/politics/t...](https://www.nytimes.com/interactive/2019/01/11/us/politics/trump-
border-crisis-reality.html)

