Security Basics mailing list archives
Re: CERTIFICATE
From: Ryan Chow <rynchow () gmail com>
Date: Mon, 28 Jan 2008 20:23:36 -0600
Whilst from an information security perspective the data being exchanged is still being encrypted, there is a liability issue with trusting an expired certificate.
If the certificate was issued by a Trusted Third Party (not from an internal Certification Authority) i.e VeriSign, by trusting an expired certificate if there were to be any issues then there maybe no recourse for damages due to there being a waiver to liability.
You can find out more by obtaining the Certification Practice Statement and applicable Certificate Policy from the Trusted Third Party which will outline the legal liability.
regards, Ryan. On 28/01/2008, at 12:07 PM, Ziemniak, Terrence M. wrote:
Encryption and authentication are independent of each other. Holding a valid certificate says that the signing authority (e.g.Verisign) attests that you (i.e. the web server servicing your site) are who you claim to be. Conversely if your certificate is not accepted byyour browser (due to name conflict, expiration, or revocation) your identity is in question. But if you accept the invalid certificate, the server and client willstill utilize HTTPS based on whatever configuration they can negotiate.So yes the data will still by encrypted. If you want to see this in action, fire up wireshark. Other uses of certificates may get a little more complicated. Forexample if you use certificates to authenticate to VPN, an expired certwill prevent you from getting onto the VPN. But in that case you are still not running cleartext - you are just not running at all. Terry -----Original Message-----From: listbounce () securityfocus com [mailto:listbounce () securityfocus com ]On Behalf Of anon () yahoo com Sent: Monday, January 28, 2008 1:28 AM To: security-basics () securityfocus com Subject: CERTIFICATEcould someone tell me what would happen to encrypted traffic if you havean expired certificate?? Does the traffic flow in clear text henceforth?? or just that the credebility of traffic from that source cannot be accounted for??
Current thread:
- CERTIFICATE anon (Jan 28)
- RE: CERTIFICATE benoni.martin (Jan 28)
- Re: CERTIFICATE Mark Owen (Jan 28)
- Re: CERTIFICATE Geoffrey Gowey (Jan 28)
- Re: CERTIFICATE Aaron Howell (Jan 28)
- Re: CERTIFICATE PCSC Information Services (Jan 28)
- Re: CERTIFICATE Ali, Saqib (Jan 28)
- RE: CERTIFICATE Roantree, Conor (Jan 29)
- <Possible follow-ups>
- RE: CERTIFICATE Ziemniak, Terrence M. (Jan 28)
- Re: CERTIFICATE Ryan Chow (Jan 29)
- Re: RE: CERTIFICATE anonymous (Jan 29)