RE: CERTIFICATE
- From: "Ziemniak, Terrence M." <tziemn2@xxxxxxxxxxx>
- Date: Mon, 28 Jan 2008 13:07:00 -0500
Encryption and authentication are independent of each other.
Holding a valid certificate says that the signing authority (e.g.
Verisign) attests that you (i.e. the web server servicing your site) are
who you claim to be. Conversely if your certificate is not accepted by
your browser (due to name conflict, expiration, or revocation) your
identity is in question.
But if you accept the invalid certificate, the server and client will
still utilize HTTPS based on whatever configuration they can negotiate.
So yes the data will still by encrypted. If you want to see this in
action, fire up wireshark.
Other uses of certificates may get a little more complicated. For
example if you use certificates to authenticate to VPN, an expired cert
will prevent you from getting onto the VPN. But in that case you are
still not running cleartext - you are just not running at all.
Terry
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of anon@xxxxxxxxx
Sent: Monday, January 28, 2008 1:28 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: CERTIFICATE
could someone tell me what would happen to encrypted traffic if you have
an expired certificate?? Does the traffic flow in clear text
henceforth?? or just that the credebility of traffic from that source
cannot be accounted for??
- Follow-Ups:
- Re: CERTIFICATE
- From: Ryan Chow
- Re: CERTIFICATE
- Prev by Date: Re: CERTIFICATE
- Next by Date: Re: CERTIFICATE
- Previous by thread: RE: CERTIFICATE
- Next by thread: Re: CERTIFICATE
- Index(es):
Relevant Pages
|
