Re: CERTIFICATE

Whilst from an information security perspective the data being exchanged is still being encrypted, there is a liability issue with trusting an expired certificate.

If the certificate was issued by a Trusted Third Party (not from an internal Certification Authority) i.e VeriSign, by trusting an expired certificate if there were to be any issues then there maybe no recourse for damages due to there being a waiver to liability.

You can find out more by obtaining the Certification Practice Statement and applicable Certificate Policy from the Trusted Third Party which will outline the legal liability.

regards,

Ryan.

On 28/01/2008, at 12:07 PM, Ziemniak, Terrence M. wrote:

Encryption and authentication are independent of each other.

Holding a valid certificate says that the signing authority (e.g.
Verisign) attests that you (i.e. the web server servicing your site) are
who you claim to be. Conversely if your certificate is not accepted by
your browser (due to name conflict, expiration, or revocation) your
identity is in question.

But if you accept the invalid certificate, the server and client will
still utilize HTTPS based on whatever configuration they can negotiate.
So yes the data will still by encrypted. If you want to see this in
action, fire up wireshark.

Other uses of certificates may get a little more complicated. For
example if you use certificates to authenticate to VPN, an expired cert
will prevent you from getting onto the VPN. But in that case you are
still not running cleartext - you are just not running at all.

Terry

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx ]
On Behalf Of anon@xxxxxxxxx
Sent: Monday, January 28, 2008 1:28 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: CERTIFICATE

could someone tell me what would happen to encrypted traffic if you have
an expired certificate?? Does the traffic flow in clear text
henceforth?? or just that the credebility of traffic from that source
cannot be accounted for??

Relevant Pages

  • Re: The update site is messed up again - (0x800C0008)
    ... A day later I tried getting into windows update and noticed the 800C0008 issue. ... > "George Hester" wrote in message ... > I was given a certificate notice and asked if I wanted to install. ... >> The difference being they update OK with the expired certificate. ...
    (microsoft.public.windowsupdate)
  • Re: The update site is messed up again - (0x800C0008)
    ... "George Hester" wrote in message ... What I did is nab the iuctl.cab out of the Windows 2000 Professional that was not having the issue. ... Anyway after the change to the expired certificate I mentioned previously and what I just described above I had ficed two issues. ...
    (microsoft.public.windowsupdate)
  • RE: Expired certificates
    ... why an internal expired certificate is ok but an external one is not. ... Try Webroot's Spy Sweeper Enterprisefor 30 days for FREE with no ... FREE 30-Day Trial of Spy Sweeper Enterprise ...
    (Security-Basics)
  • Re: The update site is messed up again - (0x800C0008)
    ... Yes Jupiter I know. ... I have a Wiindows 2000 Professional that had no pronlem at all with the expired certificate. ... > "George Hester" wrote in message ...
    (microsoft.public.windowsupdate)
  • Re: The update site is messed up again - (0x800C0008)
    ... Good to hear you resolve the issue. ... The difference being they update OK with the expired certificate. ... "George Hester" wrote in message ...
    (microsoft.public.windowsupdate)