Security Basics mailing list archives
Re: Expired certificates
From: nospam <nospam () dranem org>
Date: Sat, 29 Apr 2006 17:22:00 -0300
Kenton Smith wrote:
This seems like a bit of a pointless argument. If they have no other reason for removing it other than convenience, I don't see why you don't just remove it. That aside, I suppose the only security risk I can see is that there is information on that certificate someone could use against you. It is possible that they could take that information and spoof the site and certificate. That's about the only security risk to leaving it there that I can think of. Kenton --- 1tgeye () surewest net wrote:We have an IIS server with an old certificate that has expired. We do not use it anymore and I am arguing to remove it from the site. Other people are saying it doesn't hurt anything and just leave it there. Can anyone give me a reason why an unused but expired certificate could cause a security risk? I would like to add that to my argument why it should be removed.-----------------------------------------------------------------------
It'll get the users thinking 'it's ok to accept expired certificates' this is never a good thing; they are influenced [improperly] in too many other ways ------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------
Current thread:
- Re: Expired certificates nospam (May 01)
- <Possible follow-ups>
- Re: Expired certificates Derek Schaible (May 01)
- RE: Expired certificates Gaydosh, Adam (May 04)