Security Basics mailing list archives
Re: Expired certificates
From: Derek Schaible <dschaible () cssiinc com>
Date: Fri, 28 Apr 2006 16:43:19 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1I have a thought on this topic. While on the surface it seems like a mundane issue, who really cares beyond desensitizing users about security warnings? However, a bigger issue may in fact exist: A certificate expires for several reasons. A primary reason for expiring a certificate is because the lifetime of the key has passed and could have been cracked. Keeping that key alive on the server tells a hacker that the maintainer does not care about the key's life cycle and could have other such keys on the network.
You see, if a key with a certain level of encryption could theoretically be cracked in say 3 years with modern technology, good practice says expire the certificate in about 2 years. The certificate is not the key, merely a voucher for the authenticity of the key. If the cert has expired, the key technically should no longer be trusted.
So, leaving it in place could mean someone has extra time to crack the key.
I'd recommend it's removal immediately, personally. If not for the unlikeliness of it being cracked, then out of respect for maintaining sound practices for your users to follow. The cost of replacing the certificate is very cheap in the grand scheme of computing costs.
- -d On Apr 28, 2006, at 12:18 PM, Kenton Smith wrote:
This seems like a bit of a pointless argument. If they have no other reason for removing it other than convenience, I don't see why you don't just remove it. That aside, I suppose the only security risk I can see is that there is information on that certificate someone could use against you. It is possible that they could take that information and spoof the site and certificate. That's about the only security risk to leaving it there that I can think of. Kenton --- 1tgeye () surewest net wrote:---------------------------------------------------------------------- ---We have an IIS server with an old certificate that has expired. We do not use it anymore and I am arguing to remove it from the site. Other people are saying it doesn't hurt anything and just leave it there. Can anyone give me a reason why an unused but expired certificate could cause a security risk? I would like to add that to my argument why it should be removed.---------------------------------------------------------------------- ----This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com---------------------------------------------------------------------- ---This List Sponsored by: WebrootDon't leave your confidential company and customer records un- protected.Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php---------------------------------------------------------------------- ----
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEUn5qaMpDBGs574MRAiw4AKDFlEtiXGea/5HXGP9ckGr3vaeqgwCgs+px hj5j7dctmHygkr0Dk6hp9DI= =JzuD -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This List Sponsored by: WebrootDon't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------
Current thread:
- Re: Expired certificates nospam (May 01)
- <Possible follow-ups>
- Re: Expired certificates Derek Schaible (May 01)
- RE: Expired certificates Gaydosh, Adam (May 04)