Security Basics mailing list archives
RE: Expired certificates
From: "Gaydosh, Adam" <GaydoshA () ctc com>
Date: Thu, 4 May 2006 13:32:40 -0400
Clients should not be prompted to accept the expired certificate, e.g. if there is a new certificate being used...this was not clear in the OP other then "We do not use it anymore...", although I agree it'd be poor conditioning for the users if they were in fact prompted. The information in a certificate is public by nature, including the public key, so the security risk is the private key...since it can be used to decrypt (archived, if no longer in use) SSL sessions, you should not leave it dormant on the web server, but archived off-line (as dictated by your security policies ;). Not to mention why any sensible sys admin would lobby to keep expired certificates cluttering the certificate store...
-----Original Message----- From: nospam [mailto:nospam () dranem org] Sent: Saturday, April 29, 2006 4:22 PM Cc: Security-Basics Subject: Re: Expired certificates Kenton Smith wrote:This seems like a bit of a pointless argument. If they have no other reason for removing it other than convenience, I don't see why you don't just remove it. That aside, I suppose the only security risk I can see isthat there isinformation on that certificate someone could use against you. It is possible that they could take that information and spoof the site and certificate. That's about the only security risk to leaving it there that I can think of. Kenton --- 1tgeye () surewest net wrote:We have an IIS server with an old certificate that hasexpired. We donot use it anymore and I am arguing to remove it from thesite. Otherpeople are saying it doesn't hurt anything and just leave it there. Can anyone give me a reason why an unused but expired certificate could cause a security risk? I would like to add that to myargumentwhy it should be removed.It'll get the users thinking 'it's ok to accept expired certificates' this is never a good thing; they are influenced [improperly] in too many other ways
Current thread:
- Re: Expired certificates nospam (May 01)
- <Possible follow-ups>
- Re: Expired certificates Derek Schaible (May 01)
- RE: Expired certificates Gaydosh, Adam (May 04)