Have you ever tried to visit a website and instead been greeted by a browser window letting you know that “There is a problem with this website’s security certificate“?
Ideally, that would be a red flag indicating that something suspicous or malicious is going on. If the website security and authentication provided by SSL certificates worked as intended, receiving a warning that an SSL certificate is invalid would be reason to avoid that site.
But, the reality is that most of the time you encounter expired or invalid certificate warnings, it is because the website owner has allowed the SSL certificate to expire, or has not properly configured it for the domain you are visiting. So, people just click the “Continue to this website (not recommended)” link next to the alarming red shield icon, and proceed–ignoring the invalid certificate warning, and invalidating the concept of SSL certficates at the same time.
There are so many expired and invalid SSL certificates on otherwise legitimate sites that users are numb to the warning message. If and when a user encounters an actual malicious site attempting to utilize a stolen or forged SSL certificate, they will happily ignore the warning and continue on at their own peril.