[Cryptography] Government shutdown: TLS certificates not renewed, many websites are down
Stephan Neuhaus
stephan.neuhaus at zhaw.ch
Mon Jan 14 03:12:42 EST 2019
On 11.01.19 21:41, John Levine wrote:
> In article <1547196841482.423 at cs.auckland.ac.nz> you write:
>> Udhay Shankar N <udhay at pobox.com> writes:
>>
>>> https://www.zdnet.com/article/government-shutdown-tls-certificates-not-renewed-many-websites-are-down/
>>
>> Nevertheless, visitors are warned not to log in or perform any sensitive
>> operations on these sites, as traffic and authentication credentials aren't
>> encrypted and could be intercepted by threat actors.
>>
>> Well, that bit at least is wrong. The sites are no less secure now than they
>> were before the cert expired. The appropriate handling for expired certs is
>> to just keep using them as normal for a week or so ...
>
> [...]
>
> For anyone on this list, it's easy enough to do the magic clicks to
> get the cert and look at the dates, then decide whether it looks like
> an oversight that expired three days ago or an abandoned site with a
> Verisign cert from 2013.
>
> But now explain that to my generic non-technical user, my perfectly
> smart 82 year old mother-in-law. I think I could get as far as "it's
> probably OK if it was OK last week and nothing else has changed", but
> there's no way she's going to be squinting at cert internals.
I made that point once (on this list even?), substituting my now
79-year-old fairly computer-savvy dad. For my troubles, I was told that
I was a bad son and should have more faith in my dad! The implication
was that the current PKI UI is fine, if only more people like me would
take the time to explain what Peter Gutmann calls "PKI Theology" to
people like my dad.
Somehow I retain my doubts about this.
Fun,
Stephan
More information about the cryptography
mailing list