What should I do if I receive a website expired certificate?

575    Asked by AryanTandon in Cyber Security , Asked on Sep 26, 2022

 How does a user know if it's safe to click through scary browser warnings about SSL certificates?

Ideally, a user should never need to click through these warning messages, but sometimes honest websites run by honest, but not clueful, people will have a broken certificate.

Answered by Ashish Sinha

Regarding the website expired certificate -


From a theoretical point of view, an HTTPS site with a warning on the certificate is no better, but no worse either, than a plain HTTP site. As long as you only browse, reading data but not sending anything, and not especially trusting what you read, then you can ignore the warning. However, it is quite rare that a reading-only site goes to the trouble of setting up SSL and a certificate.

From a practical point of view, an HTTPS site with a warning on the certificate is worse than a plain HTTP site. Most plain HTTP connections go through without any attack because there are just too many of them, and so many are worthless for an attacker. On the other hand, if some attacker went to the trouble of impersonating an HTTPS server with a fake certificate, then this is a sign that your connection is being actively threatened.

Therefore a browser warning on an HTTPS certificate means one of the two following things:

the server administrator did not do his job properly; you are being actively attacked right now.

So you have to be quite sure that proposition 1 is the right one, if you still want to bypass the warning.

A relatively safe situation is when the only thing which gives the willies to your browser is that the server certificate expired not long ago (a few hours, maybe a few days): this just means that some sysadmin was overworked or on holiday, and missed the renewal date for his certificate. Most other cases are not safe: indeed, one can assume that even the most moronic sysadmin tried at least once browsing his own site, so if there is a "permanent" invalidity reason (e.g. the name in the certificate does not match the host name) then the sysadmin must have seen it.

Hence the general advice: if there is a warning, then don't go there. Just for fun, a marvelous quote from some guy named "Mark Bondurant", in the alt.computer.security Usenet group (quote reported by Peter Gutmann in his X.509 style guide -- a somewhat old but still must-read document, if only for stylistic literary reasons): I knew a guy who set up his own digital ID hierarchy, could issue his own certificates, sign his own controls, run SSL on his servers, etc. I don't need to pay Verisign a million bucks a year for keys that expire and expire. I just need to turn off the friggin browser warning messages.



Your Answer

Interviews

Parent Categories