On Tuesday 17 May 2005 04:45, Anthony G. Atkielski wrote: > Nelson B writes: > > I think that's the biggest security problem of all. We can't help users > > who simply never pay any attention to security warnings. > > What about sites who simply can't be bothered to keep their certificates > up to date? One reason many users ignore such warnings is that they > (correctly) guess that the site has misconfigured something. If all > sites were vigilant about keeping certificates up to date, then an > expired certificate would be clear evidence of something very wrong; but > many sites don't care.
Right. So the question is, why should sites care? Recently, a 2 year control-of-domain cert I managed expired. Partly out of dread and partly out of "customer laxness" in the billing department I let it expire. In the event, nobody complained, at all, and it was only a combination of other factors that led me to replace it. More to do with the debate here; give CACert a go, for experimentation, education and entertainment. I got one complaint when the vhosts sharing issue came up and the wrong cert was being served, but that was all (among I suppose 20-50 users). We have to also be aware that an expired cert is not primarily a security issue: if the owner had paid an extra year, it would not be expired. In practice, sites see HTTPS as a cost, and a barrier. It doesn't provide any protection that they *need* although this might be less true in the future and for big sites. For the most part, responsible sites are worried about cracking, dictionary attacks, lost passwords and insider fraud. You occasionally see dramatic evidence of this when you stumble across some site that runs the SSL website at the front, then mails the details in the clear to some other machine in another country. When this is pointed out, the anwer is generally "so what?" Or, see Choicepoint. (All IMHO and my experiences only.) iang -- http://iang.org/ _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
