Security Basics mailing list archives
Re: Expired certificates
From: James Fryman <jfryman () gmail com>
Date: Wed, 26 Apr 2006 18:58:33 -0400
Here's a thought - maybe not a risk in the sense you are asking, but something to consider nonetheless. If the server in question is a production server, and requires that users connect to it on a regular basis, you are essentially training those users to flat out ignore the little warning that pops up when a certificate is invalid due to expiration or being untrusted. This may not seem like a major thing up front, but by doing this, you are showing users that these warning that are supposed to throw up red flags to a user are just benign, and should be ignored. So what happens if these same users are the victims of a phishing attack, and end up leaking personal information through the net. Let's go a step further... a hacker has penetrated the network, and now otherwise sensitive data that would be transmitted via SSL is now subject to a MITM attack. These scenarios may be far fetched, and may be the responsibility of the company. However, while not all users are the smartest... teaching them to ignore the warnings that pop up could in fact come back to bite you in a way that you might not have expected. Just some thoughts. Cheers! -James Fryman .:: On 04/26/2006 11:50 AM - 1tgeye () surewest net wrote ::.
We have an IIS server with an old certificate that has expired. We do not use it anymore and I am arguing to remove it from the site. Other people are saying it doesn't hurt anything and just leave it there. Can anyone give me a reason why an unused but expired certificate could cause a security risk? I would like to add that to my argument why it should be removed. ------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------
-- ------------------------- James Fryman E-Mail : jfryman () gmail com Cell : 757.812.3126 GnuPG : 0xDAE2C750 ------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------
Current thread:
- Expired certificates 1tgeye (Apr 26)
- Re: Expired certificates James Fryman (Apr 28)
- Re: Expired certificates Brooks Garrett (Apr 28)
- Re: Expired certificates Kenton Smith (Apr 28)
- <Possible follow-ups>
- Re: Expired certificates vachanta (Apr 28)
- RE: Expired certificates Steve Armstrong (Apr 28)
- Re: Expired certificates edward . luck (Apr 28)
- Re: Expired certificates anthonylai (Apr 28)
- Re: Expired certificates wojtekp (Apr 28)