Re: Cert expired - ssl still working - whats the risk?

Giganews Newsgroups
Subject: Re: Cert expired - ssl still working - whats the risk?
Posted by:  Brian Komar (brian.komar@nospam.identit.ca)
Date: Thu, 8 Nov 2007

What is your written security policy (sorry not yours, the organization's).
If the policy states that the site must be protected by a valid SSL
certificate, then you are in the right.
If the policy states that data must be encrypted over the wire, then you
could interpret this as still being valid.
You are right that the problem should  be fixed (it is a bad idea to get
users thinking that the warning box should be ignored).
You could be on DNS attack away from users connecting to a rogue site and
inputting confidential information

Brian

"fpjr843" <fpjr8…@discussions.microsoft.com> wrote in message
news:F4ED5152-9565-4955-B06E-FE26769351…@microsoft.com...
> Looking for some feedback from the folks here that I can give to senior
> managment.
> My employees use a web-based application that is hosted by one of our
> partners.  Staff enter confidential and sensitive information on this web
> site.  Yesterday the digital certificate expired and the site
> administrators
> are not reacting very quickly to get it renewed.  I, as "big I.T.
> security",
> have blocked my employees from accessing the web site.  But now the
> manager
> of the program is painting me as the stronghanded big brother.  Its
> stopping
> productivity and business flow.  I realize that even though the cert
> expired
> SSL is still working and encrypting the data.  My sense is the only thing
> lost by not having a valid cert is the ability to know for sure what web
> site
> we are talking to.    So what do you all think?  Did I do the proper thing
> by
> blocking access or should I relax a little?

Replies

None

In response to

Cert expired - ssl still working - whats the risk? posted by fpjr843 on Thu, 8 Nov 2007