> This is also sort of a behaviour question. If someone connects to a > web server and that server's certificate has expired, should that > person really be concerned since the information they're sending back > to the server is still probably encrypted? Sure, it's still encrypted -- in fact that's all still true with entirely unrecognised certificates. But, SSL / certificates give you two things: - 1. Encryption in transit to avoid eavesdropping and tampering. 2. Authentication of the server's identity to avoid impersonation and tampering. So, with an expired or invalid certificate you are no longer sure of point 2. That might not matter, and you may decide that you believe the certificate is still correct on a hunch, but you are no longer assured that you're really talking to the server that you think you are. In theory. Hope this helps, James.
begin:vcard n:Lyon;James tel;pager:24-hour contact via Work number tel;cell:+44 (7973) 824857 tel;fax:+44 (24) 7670 2501 tel;home:Please use Cellular number. tel;work:+44 (24) 7670 2500 x-mozilla-html:TRUE url:http://www.aztec.co.uk/ org:Business IT Research Ltd t/a Aztec Business Solutions version:2.1 email;internet:[EMAIL PROTECTED] title:Managing Director adr;quoted-printable:;;Enterprise House=0D=0ACourtaulds Way;Coventry;;CV6 5NX;UK fn:James Lyon end:vcard