Cyber.mil — the Department of Defense website that distributes Security Technical Implementation Guides (STIGs) — has been serving file downloads over an expired TLS certificate for at least three days. STIGs are the compliance checklists that every DoD contractor and federal system administrator must follow to harden their infrastructure. One of those checklists covers, you guessed it, certificate management.
The specific page affected is the STIG downloads portal, the single most-visited resource on the site. Anyone pulling down the latest benchmarks for Windows Server, Oracle DB, or network device hardening is getting a browser warning that the connection isn't secure. The certificate expired on March 21, and as of this writing, it hasn't been renewed.
This isn't a theoretical problem. STIGs are distributed as ZIP archives containing XML files. A developer or sysadmin who clicks through the certificate warning to grab the latest STIG is now downloading executable policy files over an unauthenticated connection. If you're threat-modeling supply chain attacks on government infrastructure, 'compromise the distribution channel for security policy files' is page one material.
The deeper issue is operational. Certificate expiration is the most preventable failure in infrastructure management. Every major cloud provider offers automated renewal. Let's Encrypt solved this for the entire internet a decade ago. DISA (the Defense Information Systems Agency, which runs cyber.mil) publishes STIG controls requiring automated certificate lifecycle management — controls they are currently violating on their own site.
This pattern recurs across government security organizations with uncomfortable regularity. The organizations that write the rules consistently struggle to follow them. Part of that is structural: procurement cycles, staffing gaps, and the sheer sprawl of government web properties make it hard to maintain hygiene at scale. But expired certs aren't an edge case. They're a cron job.
For practitioners who depend on STIGs: verify the integrity of any downloads you pulled in the last 72 hours against known-good hashes. And if your compliance auditor asks why your cert monitoring is overkill, you now have a ready-made exhibit.
> Users on civilian network can continue downloads through the Advance tab in the error message.They are literally telling users to click through the browser errors about the bad cert. They don't mention that there is a very specific error they should be looking for (expired cert). This give
TD bank, in Canada, has had their cert expire several times in the past 10 years.It blows me away that a bank can't afford to do for themselves what Certbot and Lets Encrypt does for me, for free.Like, pay a guy a whole week to automate this and it will save you the 12hrs losses every time your
Is there anything inherently insecure about an expired cert other than your browser just complaining about it?
So it looks like a new cert was issued back in February, but they've not deployed it yet (https://bgp.he.net/certs#_SearchTab?q=www.public.cyber.mil)
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
This is kind of amazing. I'm suspicious that the site operator has absolutely no idea what they're doing.> DoD Cyber Exchange site is undergoing a TSSL Certification renewalI'm imagining someone searching around for a consulting or testing company that will help them get a personal