Re: Expired certificates

[Derek Schaible <dschaible () cssiinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have a thought on this topic. While on the surface it seems like a  
mundane issue, who really cares beyond desensitizing users about  
security warnings? However, a bigger issue may in fact exist: A  
certificate expires for several reasons. A primary reason for  
expiring a certificate is because the lifetime of the key has passed  
and could have been cracked. Keeping that key alive on the server  
tells a hacker that the maintainer does not care about the key's life  
cycle and could have other such keys on the network.

You see, if a key with a certain level of encryption could  
theoretically be cracked in say 3 years with modern technology, good  
practice says expire the certificate in about 2 years. The  
certificate is not the key, merely a voucher for the authenticity of  
the key. If the cert has expired, the key technically should no  
longer be trusted.

So, leaving it in place could mean someone has extra time to crack  
the key.

I'd recommend it's removal immediately, personally. If not for the  
unlikeliness of it being cracked, then out of respect for maintaining  
sound practices for your users to follow. The cost of replacing the  
certificate is very cheap in the grand scheme of computing costs.

- -d


On Apr 28, 2006, at 12:18 PM, Kenton Smith wrote:

> This seems like a bit of a pointless argument. If they
> have no other reason for removing it other than
> convenience, I don't see why you don't just remove it.
> That aside, I suppose the only security risk I can see
> is that there is information on that certificate
> someone could use against you. It is possible that
> they could take that information and spoof the site
> and certificate.
> That's about the only security risk to leaving it
> there that I can think of.
>
> Kenton
>
> --- 1tgeye () surewest net wrote:
>
> > We have an IIS server with an old certificate that
> > has expired.  We do not use it anymore and I am
> > arguing to remove it from the site.  Other people
> > are saying it doesn't hurt anything and just leave
> > it there.
> >
> > Can anyone give me a reason why an unused but
> > expired certificate could cause a security risk?  I
> > would like to add that to my argument why it should
> > be removed.
> ---------------------------------------------------------------------- 
> ---
> > This List Sponsored by: Webroot
> >
> > Don't leave your confidential company and customer
> > records un-protected.
> > Try Webroot's Spy Sweeper Enterprise(TM) for 30 days
> > for FREE with no
> > obligation. See why so many companies trust Spy
> > Sweeper Enterprise to
> > eradicate spyware from their networks.
> > FREE 30-Day Trial of Spy Sweeper Enterprise
> >
> > http://www.webroot.com/forms/enterprise_lead.php
> ---------------------------------------------------------------------- 
> ----
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------- 
> ---
> This List Sponsored by: Webroot
>
> Don't leave your confidential company and customer records un- 
> protected.
> Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> obligation. See why so many companies trust Spy Sweeper Enterprise to
> eradicate spyware from their networks.
> FREE 30-Day Trial of Spy Sweeper Enterprise
>
> http://www.webroot.com/forms/enterprise_lead.php
> ---------------------------------------------------------------------- 
> ----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEUn5qaMpDBGs574MRAiw4AKDFlEtiXGea/5HXGP9ckGr3vaeqgwCgs+px
hj5j7dctmHygkr0Dk6hp9DI=
=JzuD
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------