Re: Cert expired - ssl still working - whats the risk?

Giganews Newsgroups
Subject: Re: Cert expired - ssl still working - whats the risk?
Posted by:  Alun Jones (alun@texis.invalid)
Date: Thu, 8 Nov 2007

"fpjr843" <fpjr8…@discussions.microsoft.com> wrote in message
news:F4ED5152-9565-4955-B06E-FE26769351…@microsoft.com...
> Looking for some feedback from the folks here that I can give to senior
> managment.
> My employees use a web-based application that is hosted by one of our
> partners.  Staff enter confidential and sensitive information on this web
> site.  Yesterday the digital certificate expired and the site
> administrators
> are not reacting very quickly to get it renewed.  I, as "big I.T.
> security",
> have blocked my employees from accessing the web site.  But now the
> manager
> of the program is painting me as the stronghanded big brother.  Its
> stopping
> productivity and business flow.  I realize that even though the cert
> expired
> SSL is still working and encrypting the data.  My sense is the only thing
> lost by not having a valid cert is the ability to know for sure what web
> site
> we are talking to.    So what do you all think?  Did I do the proper thing
> by
> blocking access or should I relax a little?

SSL provides a few key things:
1. Authentication of the server - a guarantee that the host of the site has
proven to the satisfaction of an entity you trust that they are entitled to
host that site.
2. Encryption of data. [Yes, this can be disabled, but that's generally
something only a developer would do when testing.]
3. Integrity of data - from start to finish, no data has been dropped or
re-ordered, and that the finish itself is the true finish of the data, and
it hasn't been truncated by an attacker forging a closure.
4. Optional authentication of the client.

So, yes, you have lost item 1, because the host has not been able to prove
its identity recently enough to satisfy the CA's requirements for regular
re-identification. If you're on an internal system accessing another
internal system through an internal network with addresses provided by
internal DNS servers, then you probably have little to worry about. [If that
doesn't sound like a ringing endorsement, it's deliberate.]

But what else do you lose, if you give your employees instructions on how to
ignore the security message and simply click through?

You will lose your employees' cooperation in the security of your system.

You will have _trained_ your employees that it's acceptable to ignore a
security warning, and to simply click straight through it.

You will have also trained your IT department that renewing of certificates
is not an important task, and can be deferred, because "everyone just clicks
through anyway".

It's not the technical issue that is your biggest problem, right now, it's
the fact that you're being asked to tell your users and your staff that
security warnings are unimportant and can be ignored. That's an awareness
campaign that will take hundreds of expensive security awareness posters and
training sessions over several years to counteract, if you ever can.

Alun.
~~~~

Replies

None

In response to

Cert expired - ssl still working - whats the risk? posted by fpjr843 on Thu, 8 Nov 2007