[Cryptography] Government shutdown: TLS certificates not renewed, many websites are down

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Jan 11 03:54:07 EST 2019


Udhay Shankar N <udhay at pobox.com> writes:

>https://www.zdnet.com/article/government-shutdown-tls-certificates-not-renewed-many-websites-are-down/

  Nevertheless, visitors are warned not to log in or perform any sensitive
  operations on these sites, as traffic and authentication credentials aren't
  encrypted and could be intercepted by threat actors.

Well, that bit at least is wrong.  The sites are no less secure now than they
were before the cert expired.  The appropriate handling for expired certs is
to just keep using them as normal for a week or so and give them a chance to
get replaced, maybe warn slightly (e.g. via a visual indicator) for the next
couple of months after that, then switch to a harder-to-ignore warning for the
next few months (something you have to click past), and after that go to the
current behaviour.

Peter.


More information about the cryptography mailing list