SSL - Whether To Accept An Expired Certificate

Is the prompt to accept an SSL certificate that has expired and is not valid OK? Or is this contrary to good practice? What other error messages can we encounter while browsing the Internet using HTTPS? What do they show and what are their reasons? And when they can inform about a potential attack, and when they show the ignorance of the website owner?


Why Do We Encrypt The Connection?
Today about a topic that appears from time to time on the Internet, when one of the larger companies forgets to renew their SSL certificate. Today, virtually every major site uses certificates so that a green padlock appears next to the domain name in the browser. But why really encrypt the connection? The point is that everything that we provide on the site is not intercepted by someone from the outside. So - if I enter something in the form on the page, it can only be seen by the server to which this information is directed. You may wonder: but who can eavesdrop on my data? The answer to this question is not so simple, because, on the way from our computer to the server of the site we visit, there are many intermediaries. Starting with our internet service provider, which provides us with a connection to the world. He does not own the Internet, but he must communicate with other entities so that our movement can reach where it should. There are many such intermediaries and each of them can eavesdrop on what we send, provided, of course, that this traffic is not encrypted. The reasons why people do not want someone to view their traffic are different. Starting with security - we don't want anyone to know our bank password. Some also do not want government institutions to track their movements and activities on the Internet. So - we use encryption. The reasons why people do not want someone to view their traffic are different. Starting with security - we don't want anyone to know our bank password. Some also do not want government institutions to track their movements and activities on the Internet. So - we use encryption. The reasons why people do not want someone to view their traffic are different. Starting with security - we don't want anyone to know our bank password. Some also do not want government institutions to track their movements and activities on the Internet. So - we use encryption.

Private Key
But all this is not so simple. Each page must have its own private key. You can apply an analogy to the key in the lock on the door of our apartment. We do not want to have the same lock as our neighbors, because it is our home and only we should have access to it. Similarly here - every server should have its own key so that only he can decrypt the traffic that is directed to him. Therefore, when you set up the server, a unique private key is generated.

Is This The Correct Key?
But here we come across another problem. Each server can generate its own key - just like each door has its own lock. But how does the Internet user know that this key belongs to this server and not another that impersonates it? For apartments - the matter is simple. We know our street, as well as the block and apartment number - so we know that our key should match. In the case of servers, this role is played by domains - that is, the names that you enter in the browser's address bar to move to a specific site. That domain name is hackerfoss.com. So the key generated by the server should be somehow associated with the domain used by some website.

Main Certification Authorities
Well, but everyone can say that this key is associated with this domain. It must be solved somehow differently, using some institution that we all trust. We call these companies the main certification authorities. Their identification data is saved in every operating system and browser. We've all agreed that we trust them and that these companies follow all procedures. It's just like street names. Someone once gave a certain name to a given street and we all assume it for granted - as a fact. The task of these companies is to check whether a person or institution has the authority to manage the domain.

Domain Management Permissions
How can you verify this? There are at least several different methods. The first is to place a special file with a special name and value within our site. These values ​​are randomly generated and assigned to a specific domain. So if the office wants to check that we actually have rights to the domain - it verifies the value of this file. When they are the same - it means that we have control over the server pointing to the given name. Another option is to use internet mail. Some specific style email addresses are used [email protected] Again, if someone can read the content of a message sent to such an address - it means that they have access to the domain. This is how certification authorities determine whether a person or company has access to a given domain. Such verification is called DV type verification - that is domain validation. It only checks here if someone has the rights to the domain.

OV Type Certificate
But this is not the only type of certificate we can receive. Another is OV - organization validation. Here, in addition to checking the right to the domain, also the entity itself that is seeking the certificate is checked. So here is also sent to the office a set of documents certifying that we represent the organization. Thanks to this, apart from the domain name, the certificate may also contain the company name and its address. Why this kind of certificate? Let's assume that a new fashion brand campaign is appearing on the Internet. For this purpose, a new website was created along with a new domain whose name is widely advertised. The promotional website allows you to get great discounts. However, it requires some sensitive data. As we are persons, for which privacy is important - we do not provide this kind of data on the first better pages. We do not know this new domain and we do not know who it belongs to. But we can check the data contained in the certificate. If it is an OV certificate issued by a trusted certification authority, it will show the company name. Thanks to this, we know that the external entity we trust has verified the data of the company that uses the domain. To sum up: after confirming our rights to the domain, the certification authority confirms that the private key generated by our server is associated with this domain. Well, but as it happens in the security plot - not everything is so simple. If it is an OV certificate issued by a trusted certification authority, it will show the company name. Thanks to this, we know that the external entity we trust has verified the data of the company that uses the domain. To sum up: after confirming our rights to the domain, the certification authority confirms that the private key generated by our server is associated with this domain. Well, but as it happens in the security plot - not everything is so simple. If it is an OV certificate issued by a trusted certification authority, it will show the company name. Thanks to this, we know that the external entity we trust has verified the data of the company that uses the domain. To sum up: after confirming our rights to the domain, the certification authority confirms that the private key generated by our server is associated with this domain. Well, but as it happens in the security plot - not everything is so simple.

Certificate Validity
Such confirmation is only valid for a certain period of time. Same as ID card - it has an expiration date. Why? In the case of proof, the point is to change the profile picture from time to time. 10 years is a lot of time and our face can change a lot during this time. The same goes for domain. It may turn out that it has been sold to another entity or has expired. Therefore, certificates have a specific expiration date. In the past, when encryption was not so popular, it was even 3 years. Nowadays, however, there is a tendency for certificates to have a much shorter expiration date, more in months than years. And this causes a kind of problem for website owners.

Automatic Certificate Generation
Theoretically, shorter dates result in more work. Each newly generated certificate requires confirmation by a certification authority and then installation on the appropriate server. It seems to be time consuming and it really is. But - fortunately, there are tools that allow you to automate this whole process. If they are properly configured, the machine will start the whole procedure in advance, automatically confirm the right to use the domain and will replace the appropriate certificate. Well, but life is not so colorful. Not in every case, this process can be completely automated. Especially if we are talking about the OV type where you should also check the documents of the entity that is applying for the certificate. The robot is unable to send these documents automatically. What's more - on the other side - that is in the certification authority - these data are usually verified manually. This means that some certificates must be manually renewed. And this raises some problems, especially if there are several such domains. And having a dozen or so domains within one company is not as rare as you might think. Therefore, if there are no procedures that guard this process - it may happen that the organization forgets (or fails to) renew the certificate on time.

This Connection Is Not Private
And here comes the problem. Browsers immediately capture this situation and display the appropriate message to the user. It varies but you can see a tendency. For example, Google Chrome, we get a sinister-sounding window with the name This connection is not private marked with a red triangle with an exclamation mark. No wonder that an ordinary computer user doesn't know what to do in this case. Especially since he is offered only two options to choose from. The first - marked as the proposed solution is "Return to security". After clicking this button, the internet user is redirected to the previously viewed website.

Advanced Options
The second option is "advanced". There you will find additional information about a given error and an additional button that allows you to enter the site, despite the warning. And here we come to the heart of the whole problem. For large companies (especially those that have online stores), an incorrect certificate is not just a blur on the image. It is also a real loss because few people will be able to open the page with such an error. Hence, there are situations where such companies while waiting for a new certificate using other communication channels and social media, inform their users about a possible workaround. Then they are instructed to ignore the warning and continue displaying the page. On the one hand, I am not surprised that such situations take place. Theoretically, in most cases you can easily visit such a website without putting yourself and your data in danger. Only that you need to understand the content of the error and why it appeared, as well as distinguish different messages from each other. And this is not so obvious.

Badssl.com
Explaining this to a standard user is not easy. Especially since a wider context is needed here to understand the whole issue. We are dealing with a very similar message in at least a few different situations. Badssl.com is a very nice site, where we can see examples of various problems with certificates.

Expired Certificate
And so the first case most frequently occurring for the expired certificate - i.e. expired. By clicking the button "advance" can read that this server could not prove that it belongs toexpired.badssl.com. His security certificate expired 1500 days ago. This may be due to incorrect configuration or interception of the connection. Assume "The computer clock is not set to the current date". Only in detail do we receive information of interest to us. We can read there that the certificate expired a certain time ago. The browser also shows the current date. Why is it doing this? It may turn out that for some reason our system time is set incorrectly. In this case, this error can also show up. All you have to do is change the date and refresh the page. Here, however, we are considering another case when the certificate has actually expired and our date is correct. Usually, this means that someone has forgotten to renew it. In this case, we could be tempted to accept the security exception and enter the site, if absolutely necessary and any delay is not accepted by us. Especially if the certificate only expired a few days ago. Why? Because there is no indication that the private key has been leaked or has been stolen. It is still secure and known only to the server you want to connect to. So the data we send is still secure. Moreover, this certificate was in the past valid, i.e. it was used by an entity that has rights to this domain. It is not possible for someone to eavesdrop on our connection. The key here is the time when the certificate has expired. In the case of a few days, this probably only indicates the administrator's carelessness. But if the certificate expired a long time ago - I would recommend caution. Why? Since this certificate may be stolen,

Incorrect Practice
Only that urging users to accept security exceptions usually does more harm than good. In the case of security, education is very important. Unfortunately, it takes a lot of time. Security is difficult and is associated with the ordinary user by something that disturbs him. Why should I rewrite additional passwords from mobile tokens when I visit the bank's website? Why is the password not enough for me? If we encourage users to accept exceptions, this may take revenge in the future. Seeing a similar message - someone can accept the exception again. Only that the next time it may not be informed about the expiration of the date but about an attempt to impersonate the site. To sum up: for these types of messages, this usually indicates the carelessness of the site administrator, especially if the certificate has expired relatively recently. But to confirm this fact, we need to read the message that the browser presents us. It's best to try to come back to this page after some time believing that site owners will fix the problem.

Wrong Host
Another type is the wrong host. This time we see the information that the server could not prove that it belongs to wrong.host.badssl.com. His certificate comes from badssl.com. What does it mean? We tried to access the site wrong.host.badssl.com, but the server returned a certificate belonging to another domain. This message usually appears if the server is configured incorrectly. Today's computers can handle many websites at the same time. Sometimes there is a situation where the administrator confuses the files and returns the wrong certificate. Suppose you are going to the site www.hackerfoss.com. But the browser returns you a certificate for hackerfoss.com. So it turns out that the owner made a mistake during configuration. Being the domain owner hackerfoss.com I can generate a certificate for any subdomain, including www.hackerfoss.com. Only the same message can also appear in other situations. Suppose you google.com a certificate by entering hackerfoss.com. This can be an indication that someone is clumsy trying to preview your traffic using a valid certificate for another domain. If you accept this exception, you won't be able to tell if someone is analyzing your requests along the way.

Self-signed
Next, we deal with a self-signed certificate, i.e. one that has not been confirmed by a trusted certification authority. And here I would recommend increased caution. Information that arises is: "the security certificate is not trusted by the operating system of this computer". So, no external organization that we trust has confirmed that the person (or company) using the certificate has rights to the domain. This is a very dangerous situation. It can mean man in the middle attacks when someone tries to eavesdrop on our connections. Then it generates such a certificate hoping that anything unaware user will accept it. And as I mentioned at the beginning of this material - anyone can generate a key for any domain. To be sure of its origin, it must be accepted by an external entity. In such situations, I would advise against using the website.

Untrusted Root
Another type is untrusted root - the use of an untrusted certification authority. What does untrusted mean? That is one whose data is not saved in the browser or operating system. Anyone can create such an authority. Just generate the appropriate certificate and that's it. From the point of view of the message, it is identical to the one displayed for self-signed certificates. However, the difference appears when we enter the certificate details. In the case of Google Chrome, we can do this by clicking on the padlock icon or red triangle with the word "warning" in the domain bar. Then choose the "certificate" tab. Here we can see more details. Among other things, information for which domain it is issued and by whom and on what dates it was valid. However, we are interested in the "Certification Path" tab. There we can see which authority has signed up to a given domain. For a certificate using an untrusted certification authority, we see two entries. The first - a certification authority with a red X. It proves that this certificate is not trusted by us. For the previous type, there is only one entry there - because there we did not use any certification authority. Here again - I would recommend not entering such a site.

Revoked
The last type I would like to present today is "revoked" or revoked certificate. Every certificate owner can inform the authority that his private key has been stolen and the certificate should be treated as invalid. It's a similar situation when someone steals the keys to the apartment from us. Then we usually change the door locks so that no one breaks into our house. Similarly here - if someone has stolen our certificate then they can use it to impersonate our website. Such a certificate is valid until it expires. Hence the tendency for certificates to have the shortest validity period. Only its annulment protects our users.

Summary
And that's all in this blog. As you can see one topic - so many different possibilities. Hence, suggesting users to accept expired certificates is not the best idea. A standard user is unaware of the risks that such behavior entails. If we teach users bad practices - that is, accepting such warnings, it may turn out that in the future, learned by experience - they will accept a similar message - this time opening the way for potential criminals. If you liked this material, consider sending it to your friends. Also, don't forget to subscribe to the blog.

Comments

Popular

5 Steps To Protecting Your Digital Home

Document Security System To Prevent Confidential Leakage

Safe Mobile Payments And Banking Tips Hackers Hope You Don't Know