Cert expired - ssl still working - whats the risk?

Cert expired - ssl still working - whats the risk?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Cert expired - ssl still working - whats the risk? fpjr843 11-08-2007
Posted by =?Utf-8?B?ZnBqcjg0Mw==?= on November 8, 2007, 11:02 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Looking for some feedback from the folks here that I can give to senior
managment.
My employees use a web-based application that is hosted by one of our
partners. Staff enter confidential and sensitive information on this web
site. Yesterday the digital certificate expired and the site administrators
are not reacting very quickly to get it renewed. I, as "big I.T. security",
have blocked my employees from accessing the web site. But now the manager
of the program is painting me as the stronghanded big brother. Its stopping
productivity and business flow. I realize that even though the cert expired
SSL is still working and encrypting the data. My sense is the only thing
lost by not having a valid cert is the ability to know for sure what web site
we are talking to. So what do you all think? Did I do the proper thing by
blocking access or should I relax a little?

Posted by Alun Jones on November 8, 2007, 4:51 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> Looking for some feedback from the folks here that I can give to senior
> managment.
> My employees use a web-based application that is hosted by one of our
> partners. Staff enter confidential and sensitive information on this web
> site. Yesterday the digital certificate expired and the site
> administrators
> are not reacting very quickly to get it renewed. I, as "big I.T.
> security",
> have blocked my employees from accessing the web site. But now the
> manager
> of the program is painting me as the stronghanded big brother. Its
> stopping
> productivity and business flow. I realize that even though the cert
> expired
> SSL is still working and encrypting the data. My sense is the only thing
> lost by not having a valid cert is the ability to know for sure what web
> site
> we are talking to. So what do you all think? Did I do the proper thing
> by
> blocking access or should I relax a little?

SSL provides a few key things:
1. Authentication of the server - a guarantee that the host of the site has
proven to the satisfaction of an entity you trust that they are entitled to
host that site.
2. Encryption of data. [Yes, this can be disabled, but that's generally
something only a developer would do when testing.]
3. Integrity of data - from start to finish, no data has been dropped or
re-ordered, and that the finish itself is the true finish of the data, and
it hasn't been truncated by an attacker forging a closure.
4. Optional authentication of the client.

So, yes, you have lost item 1, because the host has not been able to prove
its identity recently enough to satisfy the CA's requirements for regular
re-identification. If you're on an internal system accessing another
internal system through an internal network with addresses provided by
internal DNS servers, then you probably have little to worry about. [If that
doesn't sound like a ringing endorsement, it's deliberate.]

But what else do you lose, if you give your employees instructions on how to
ignore the security message and simply click through?

You will lose your employees' cooperation in the security of your system.

You will have _trained_ your employees that it's acceptable to ignore a
security warning, and to simply click straight through it.

You will have also trained your IT department that renewing of certificates
is not an important task, and can be deferred, because "everyone just clicks
through anyway".

It's not the technical issue that is your biggest problem, right now, it's
the fact that you're being asked to tell your users and your staff that
security warnings are unimportant and can be ignored. That's an awareness
campaign that will take hundreds of expensive security awareness posters and
training sessions over several years to counteract, if you ever can.

Alun.
~~~~



Posted by Brian Komar on November 8, 2007, 11:50 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
What is your written security policy (sorry not yours, the organization's).
If the policy states that the site must be protected by a valid SSL
certificate, then you are in the right.
If the policy states that data must be encrypted over the wire, then you
could interpret this as still being valid.
You are right that the problem should be fixed (it is a bad idea to get
users thinking that the warning box should be ignored).
You could be on DNS attack away from users connecting to a rogue site and
inputting confidential information

Brian

> Looking for some feedback from the folks here that I can give to senior
> managment.
> My employees use a web-based application that is hosted by one of our
> partners. Staff enter confidential and sensitive information on this web
> site. Yesterday the digital certificate expired and the site
> administrators
> are not reacting very quickly to get it renewed. I, as "big I.T.
> security",
> have blocked my employees from accessing the web site. But now the
> manager
> of the program is painting me as the stronghanded big brother. Its
> stopping
> productivity and business flow. I realize that even though the cert
> expired
> SSL is still working and encrypting the data. My sense is the only thing
> lost by not having a valid cert is the ability to know for sure what web
> site
> we are talking to. So what do you all think? Did I do the proper thing
> by
> blocking access or should I relax a little?


Posted by James Matthews on November 11, 2007, 8:05 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Only if you trust the site

--

http://search.goldwatches.com/
http://www.jewelerslounge.com/
> Looking for some feedback from the folks here that I can give to senior
> managment.
> My employees use a web-based application that is hosted by one of our
> partners. Staff enter confidential and sensitive information on this web
> site. Yesterday the digital certificate expired and the site
> administrators
> are not reacting very quickly to get it renewed. I, as "big I.T.
> security",
> have blocked my employees from accessing the web site. But now the
> manager
> of the program is painting me as the stronghanded big brother. Its
> stopping
> productivity and business flow. I realize that even though the cert
> expired
> SSL is still working and encrypting the data. My sense is the only thing
> lost by not having a valid cert is the ability to know for sure what web
> site
> we are talking to. So what do you all think? Did I do the proper thing
> by
> blocking access or should I relax a little?


Posted by why not? on November 12, 2007, 9:33 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
get the manager of the programme to accept full responsibility for any
issues arising because of your concerns (but I bet they won't).

Get this in writing - see how quickly it is resolved


> Only if you trust the site
>
> --
>
> http://search.goldwatches.com/
> http://www.jewelerslounge.com/
>> Looking for some feedback from the folks here that I can give to senior
>> managment.
>> My employees use a web-based application that is hosted by one of our
>> partners. Staff enter confidential and sensitive information on this web
>> site. Yesterday the digital certificate expired and the site
>> administrators
>> are not reacting very quickly to get it renewed. I, as "big I.T.
>> security",
>> have blocked my employees from accessing the web site. But now the
>> manager
>> of the program is painting me as the stronghanded big brother. Its
>> stopping
>> productivity and business flow. I realize that even though the cert
>> expired
>> SSL is still working and encrypting the data. My sense is the only thing
>> lost by not having a valid cert is the ability to know for sure what web
>> site
>> we are talking to. So what do you all think? Did I do the proper
>> thing by
>> blocking access or should I relax a little?
>



Similar ThreadsPosted
Expired Code Signing Cert with VBScript September 12, 2006, 9:17 am
Root CA cert expires, I renewed but I'm unable to request new cert March 7, 2006, 3:16 pm
Commercial cert vs. Microsoft Certificate Services generated cert June 21, 2007, 4:23 am
Computer cert/User cert 802.x Authentication query August 7, 2007, 5:20 am
whats happened to consumer security discussion groups -home page January 18, 2008, 4:52 pm
Expired security certificate January 25, 2007, 4:51 pm
Change Administrator Password when expired November 28, 2005, 2:21 pm
Expired Certs (This MUST be basic question) June 25, 2007, 9:15 pm
Verisign certificate expired - who do we buy to update? September 14, 2007, 10:50 am
what do I risk...? July 1, 2006, 5:24 am

The site map in XML format XML site map

Contact Us | Privacy Policy