|
| ▲ | russell_h 5 hours ago | parent | next [-] |
| I think the argument would go that if people are clicking through certificate errors and you're in a position to MITM their traffic, you can just serve them a different certificate and they'll click through the error without noticing or understanding the specifics. |
| |
| ▲ | eli 4 hours ago | parent | next [-] | | IMHO host mismatch is more serious than expired cert and browsers should treat it as such | |
| ▲ | austin-cheney 4 hours ago | parent | prev | next [-] | | That could happen either way regardless of expiry. The only reason for an expiration date is to force site owners to cycle their certs at regular intervals to defeat the long time it takes to brute force a successful forgery. | |
| ▲ | sciencejerk 4 hours ago | parent | prev [-] | | Fair point, but I think the situation is a bit more complicated when a user "needs the site for work", or something urgent. You might have smart cautious users that feel like they have no choice but to proceed and click through the warnings since the site is most likely still legitimate |
|
|
| ▲ | LeifCarrotson 5 hours ago | parent | prev | next [-] |
| It's true that the expiration doesn't mean the encryption no longer works, but if the user is under a MITM attack and is presented by their browser with a warning that the certificate is invalid, then the encryption will still work but the encrypted communication will be happening with the wrong party. I don't trust the average user to inspect the certificate and understand the reason for the browser's rejection. |
| |
| ▲ | umanwizard 4 hours ago | parent | next [-] | | Okay, but that’s not what was being asked. OP, someone who presumably understands the difference between a totally invalid cert and an expired one, was asking specifically whether clicking through the latter is dangerous. | | |
| ▲ | axus 4 hours ago | parent [-] | | "Visitors to the site are vulnerable to Man in the Middle (MitM) attacks, IF they click past the warning". I think it's true when there is a man in the middle. | | |
| ▲ | fylo 3 hours ago | parent [-] | | Based on history of this type of attack, it can also be true with a valid certificate ;) |
|
| |
| ▲ | wang_li 4 hours ago | parent | prev [-] | | It's entirely the second paragraph and not part of certificate expiration, in and of itself, lends to being MITM. Firefox tells me what the problem is, expired, wrong name, etc. So, it's not just saying "oh no, something is wrong." I can tell what is wrong before I choose to proceed. |
|
|
| ▲ | hamdingers 4 hours ago | parent | prev | next [-] |
| This is an infohazard. True information that can cause harm or enable some agent to cause harm. Telling people not to worry about expired cert warnings makes them vulnerable to a variety of attacks. |
|
| ▲ | f_devd 5 hours ago | parent | prev | next [-] |
| I think they mean that a non-observant visitor cannot tell the difference between both situations |
|
| ▲ | ktm5j 2 hours ago | parent | prev | next [-] |
| That's not what man in the middle attacks are about.. it's not about the encryption, it's about verifying that you really know who you're talking to. |
|
| ▲ | KaiserPro 3 hours ago | parent | prev [-] |
| If you're ignoring certificate warnings, then you'll ignore mismatching domain warnings. More over, if your org's browser setting allow you to override the warnings, thast also pretty bad for anything other than a small subset of your team. |
