Here's Why Your Browser May Tell You the White House Website Isn't Secure

Some visitors to the White House website have reported seeing messages that carry some scary warnings. A message from Google Chrome warns: "Attackers might be trying to steal your information from messages.whitehouse.gov, for example passwords, messages or credit cards."

Post staffers ran into similar messages on Microsoft's Edge browser, Apple's Safari and Mozilla's Firefox browser. Some Twitter users experienced the same thing:

One person tweeted: A bit concerned. When I visited the https://t.co/BU5JvyhVJM site, @AVGFree kept warning me of threats. #Paranoia #RussianHackers ?

Seeing that sort of language on your screen doesn't exactly inspire confidence, to say the least. But, according to cybersecurity professionals, the messages don't seem to be prompted by an attack. In fact, the messages aren't obviously linked to anything nefarious at all; it's likely due to a simple maintenance oversight.

The White House didn't respond to a request for comment.

Experts told The Post that the messages are appearing because the site's security certificate - or, very simply put, the thing that verifies that a site is what it says it is - isn't valid.

It appears the White House's equipment isn't configured correctly, and the old certificate was revoked or allowed to expire without getting replaced, said Kenneth White of the Open Crypto Audit project, a nonprofit dedicated to improving cybersecurity. There are perhaps hundreds of pieces of equipment and servers that need to be just right to keep the White House site up and running correctly, so it's easy to miss something, he said.

"I want to dissuade any notion of this being cloak and dagger, or there being any sort of malicious intent," White said. "This is almost certainly an innocent mistake."

So that's the good news: there's no indication there was a malicious attack. Nor does it appear to be tied to the recent transition of power at 1600 Pennsylvania Ave. According to White, records indicate the certificate was revoked by the company that issues certificates in May of 2016 - in other words, long before the Trump administration occupied its current offices. (A similar message appeared in 2015 on the same day the Obama administration held a cyber-security summit.)

White suspects that people are seeing the updates more frequently now due to recent browser updates. Some browsers, including Chrome, have increased their own security measures regarding security certificates. That may explain why not everyone sees the same message, or people only see it in certain browsers.

The bad news is that this means at least parts - such as messages.whitehouse.gov - of the White House's website aren't secure at the moment. "With an invalid certificate, anyone can monitor your traffic, see what you're reading even if you're not logging in and see which pages [you're] spending time on," said George Avetisov, chief executive of the cybersecurity firm HYPR Corp. He also said, if the most visible parts of the White House's site aren't being properly monitored, it also raises questions on some of the more technical parts as well.

Avestisov said that he hopes that an expected cybersecurity executive order from President Donald Trump, which is likely to include provisions to encourage the government to adopt industry-standard security measures, will prevent mistakes like this.

"The root problem in the government is that they have a lot of legacy systems - there are places in the government that still run Windows XP, even though it's not supported anymore," he said. "And there is no unified approach to cybersecurity; each agency has their own home brew system."

In the meantime, "Don't go to whitehouse.gov until they fix that certificate," Avestisov said.

© 2017 The Washington Post