2

When I see the warning on my browser about "Invalid Certificate" or "Untrusted Certificate" , I might have doubt about a MITM attack at my network. Should I have the same concern when I see that the certificate expired warning? As I know, it happens only when the server did not renew its certificate, and it only shows that the server might use old security standards. Should I worry about anything other than this?

e-sushi
  • 1,286
  • 2
  • 14
  • 41
Pilfility
  • 452
  • 4
  • 14

2 Answers2

7

If the certificate is expired (say, after two years), this means that a potential attacker had at least two years of time available to brute-force or otherwise attack the key. OK, this means more risk than when the cert is only a few months old, but with good keys there should still be virtually no sudden risk increase at the moment of expiry. Nevertheless, this aspect should not be discarded. (Also, old certs may have been produced in the good old days of less secure signatures)

But more importantly, when a key that is still active is compromised, this fact may be advertised by revocation (e.g., CRL or OSCP). If a key gets compromised after its expiry, this is not done (simply because it would be a waste of resources to track those cases when the certs are invalid anyway by expiry).

In fact, it may be the case that the owner did renew the certificate, but what you are looking at is a fake site created by a MITM.

So, yes, you should be sufficiently worried (and worried as hell if that is any site of importance such as a banking site or a shop) and maybe inform the owner.

Hagen von Eitzen
  • 1,098
  • 8
  • 19
-1

Mostly it is a trust issue.

If the client trusts invalid or expired certificates and he is used to it, what makes him distinguish between a valid expired / invalid certificate from other malicious one? Probably he will click without read yes to all questions...

Also if you are not following the rules / standard why to implement them? To keep the traffic safe? But why your customers should trust they are safe if you do not care with standards?

Hugo
  • 1,701
  • 11
  • 12