Here's a thought - maybe not a risk in the sense you are asking, but
something to consider nonetheless.
If the server in question is a production server, and requires that
users connect to it on a regular basis, you are essentially training
those users to flat out ignore the little warning that pops up when a
certificate is invalid due to expiration or being untrusted.
This may not seem like a major thing up front, but by doing this, you
are showing users that these warning that are supposed to throw up red
flags to a user are just benign, and should be ignored. So what happens
if these same users are the victims of a phishing attack, and end up
leaking personal information through the net. Let's go a step further...
a hacker has penetrated the network, and now otherwise sensitive data
that would be transmitted via SSL is now subject to a MITM attack.
These scenarios may be far fetched, and may be the responsibility of the
company. However, while not all users are the smartest... teaching them
to ignore the warnings that pop up could in fact come back to bite you
in a way that you might not have expected.
Just some thoughts.
Cheers!
-James Fryman
.:: On 04/26/2006 11:50 AM - 1tgeye@surewest.net wrote ::.
We have an IIS server with an old certificate that has expired. We do not
use it anymore and I am arguing to remove it from the site. Other people are
saying it doesn't hurt anything and just leave it there.
Can anyone give me a reason why an unused but expired certificate could cause
a security risk? I would like to add that to my argument why it should be
removed.
-------------------------------------------------------------------------
This List Sponsored by: Webroot
Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise
http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------
--
-------------------------
James Fryman
E-Mail : jfryman@gmail.com
Cell : 757.812.3126
GnuPG : 0xDAE2C750
-------------------------------------------------------------------------
This List Sponsored by: Webroot
Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise
http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------
