Whilst from an information security perspective the data being
exchanged is still being encrypted, there is a liability issue with
trusting an expired certificate.
If the certificate was issued by a Trusted Third Party (not from an
internal Certification Authority) i.e VeriSign, by trusting an expired
certificate if there were to be any issues then there maybe no
recourse for damages due to there being a waiver to liability.
You can find out more by obtaining the Certification Practice
Statement and applicable Certificate Policy from the Trusted Third
Party which will outline the legal liability.
regards,
Ryan.
On 28/01/2008, at 12:07 PM, Ziemniak, Terrence M. wrote:
Encryption and authentication are independent of each other.
Holding a valid certificate says that the signing authority (e.g.
Verisign) attests that you (i.e. the web server servicing your site)
are
who you claim to be. Conversely if your certificate is not accepted
by
your browser (due to name conflict, expiration, or revocation) your
identity is in question.
But if you accept the invalid certificate, the server and client will
still utilize HTTPS based on whatever configuration they can
negotiate.
So yes the data will still by encrypted. If you want to see this in
action, fire up wireshark.
Other uses of certificates may get a little more complicated. For
example if you use certificates to authenticate to VPN, an expired
cert
will prevent you from getting onto the VPN. But in that case you are
still not running cleartext - you are just not running at all.
Terry
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com
]
On Behalf Of anon@yahoo.com
Sent: Monday, January 28, 2008 1:28 AM
To: security-basics@securityfocus.com
Subject: CERTIFICATE
could someone tell me what would happen to encrypted traffic if you
have
an expired certificate?? Does the traffic flow in clear text
henceforth?? or just that the credebility of traffic from that source
cannot be accounted for??
