[Cryptography] Government shutdown: TLS certificates not renewed, many websites are down
John Levine
johnl at iecc.com
Fri Jan 11 15:41:09 EST 2019
In article <1547196841482.423 at cs.auckland.ac.nz> you write:
>Udhay Shankar N <udhay at pobox.com> writes:
>
>>https://www.zdnet.com/article/government-shutdown-tls-certificates-not-renewed-many-websites-are-down/
>
> Nevertheless, visitors are warned not to log in or perform any sensitive
> operations on these sites, as traffic and authentication credentials aren't
> encrypted and could be intercepted by threat actors.
>
>Well, that bit at least is wrong. The sites are no less secure now than they
>were before the cert expired. The appropriate handling for expired certs is
>to just keep using them as normal for a week or so ...
You don't have to remind us how awful the interface is for human users of PKI.
For anyone on this list, it's easy enough to do the magic clicks to
get the cert and look at the dates, then decide whether it looks like
an oversight that expired three days ago or an abandoned site with a
Verisign cert from 2013.
But now explain that to my generic non-technical user, my perfectly
smart 82 year old mother-in-law. I think I could get as far as "it's
probably OK if it was OK last week and nothing else has changed", but
there's no way she's going to be squinting at cert internals.
Given that, while the article's advice is technically confused (of
course the traffic is still encrypted), the general message not to
trust stale certs is reasonable.
R's,
John
More information about the cryptography
mailing list