Security Basics mailing list archives

Re: Expired certificates

From: James Fryman <jfryman () gmail com>
Date: Wed, 26 Apr 2006 18:58:33 -0400

Here's a thought - maybe not a risk in the sense you are asking, but
something to consider nonetheless.

If the server in question is a production server, and requires that
users connect to it on a regular basis, you are essentially training
those users to flat out ignore the little warning that pops up when a
certificate is invalid due to expiration or being untrusted.

This may not seem like a major thing up front, but by doing this, you
are showing users that these warning that are supposed to throw up red
flags to a user are just benign, and should be ignored. So what happens
if these same users are the victims of a phishing attack, and end up
leaking personal information through the net. Let's go a step further...
a hacker has penetrated the network, and now otherwise sensitive data
that would be transmitted via SSL is now subject to a MITM attack.

These scenarios may be far fetched, and may be the responsibility of the
company. However, while not all users are the smartest... teaching them
to ignore the warnings that pop up could in fact come back to bite you
in a way that you might not have expected.

Just some thoughts.

Cheers!
-James Fryman


.:: On 04/26/2006 11:50 AM - 1tgeye () surewest net wrote ::.

We have an IIS server with an old certificate that has expired.  We do not use it anymore and I am arguing to remove 
it from the site.  Other people are saying it doesn't hurt anything and just leave it there.

Can anyone give me a reason why an unused but expired certificate could cause a security risk?  I would like to add 
that to my argument why it should be removed.

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------


-- 
-------------------------
James Fryman
E-Mail : jfryman () gmail com
Cell   : 757.812.3126
GnuPG  : 0xDAE2C750

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------

Current thread:

Expired certificates 1tgeye (Apr 26)
- Re: Expired certificates James Fryman (Apr 28)
- Re: Expired certificates Brooks Garrett (Apr 28)
- Re: Expired certificates Kenton Smith (Apr 28)
- <Possible follow-ups>
- Re: Expired certificates vachanta (Apr 28)
- RE: Expired certificates Steve Armstrong (Apr 28)
- Re: Expired certificates edward . luck (Apr 28)
- Re: Expired certificates anthonylai (Apr 28)
- Re: Expired certificates wojtekp (Apr 28)