The Security Detail

Apr 10 2011   10:08AM GMT

Invalid Certificates Threaten to Make SSL Useless

Tony Bradley Tony Bradley Profile: Tony Bradley

Have you ever tried to visit a website and instead been greeted by a browser window letting you know that “There is a problem with this website’s security certificate“?

Ideally, that would be a red flag indicating that something suspicous or malicious is going on. If the website security and authentication provided by SSL certificates worked as intended, receiving a warning that an SSL certificate is invalid would be reason to avoid that site.

But, the reality is that most of the time you encounter expired or invalid certificate warnings, it is because the website owner has allowed the SSL certificate to expire, or has not properly configured it for the domain you are visiting. So, people just click the “Continue to this website (not recommended)” link next to the alarming red shield icon, and proceed–ignoring the invalid certificate warning, and invalidating the concept of SSL certficates at the same time.

There are so many expired and invalid SSL certificates on otherwise legitimate sites that users are numb to the warning message. If and when a user encounters an actual malicious site attempting to utilize a stolen or forged SSL certificate, they will happily ignore the warning and continue on at their own peril.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: