Another entry in the internet security hall of shame....
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Aug 26 09:56:32 EDT 2005
John Kelsey <kelsey.j at ix.netcom.com> writes:
>Recently, Earthlink's webmail server certificate started showing up as
>expired. (It obviously expired a long time ago; I suspect someone must have
>screwed up in changing keys over or something, because the problem wasn't
>happening up until recently.)
This is now the third time in the last few months in which invalid/expired SSL
server certs have totally failed to have any effect, at least until a security
person noticed that there was a problem. Maybe one of the HCI people reading
the list could be persuaded to investigate whether SSL server certs have any
real security value and/or what changes to the UI need to be made to make them
useful. Alternatively, how long can you get away with a $19.95 cert from
Honest Joe's Used Cars and Certificates that expired several years ago?
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list