Cert expired - ssl still working - whats the risk?

Giganews Newsgroups
Subject: Cert expired - ssl still working - whats the risk?
Posted by:  fpjr843 (fpjr8…@discussions.microsoft.com)
Date: Thu, 8 Nov 2007

Looking for some feedback from the folks here that I can give to senior
managment.
My employees use a web-based application that is hosted by one of our
partners.  Staff enter confidential and sensitive information on this web
site.  Yesterday the digital certificate expired and the site administrators
are not reacting very quickly to get it renewed.  I, as "big I.T. security",
have blocked my employees from accessing the web site.  But now the manager
of the program is painting me as the stronghanded big brother.  Its stopping
productivity and business flow.  I realize that even though the cert expired
SSL is still working and encrypting the data.  My sense is the only thing
lost by not having a valid cert is the ability to know for sure what web site
we are talking to.    So what do you all think?  Did I do the proper thing by
blocking access or should I relax a little?

Replies