SSL expiration has been making headlines lately with Netcraft recently reporting over 200 certificates have expired in relation to the US government shutdown. With many people wondering “What’s the big deal?” we wanted to examine why expiration is important and outline how it affects both website owners and website visitors
Consequences of Expired SSL
Unlike some services that renew automatically until specifically cancelled, SSL Certificates have a set expiry date. Letting an SSL Certificate expire can have a number of consequences for the website owner and also for the end user.
Website Owner:
– Reduction in trust as the site becomes unsecure
– Decline in sales and revenue with increased shopping basket abandonments
– Corporate brand and reputation adversely affected putting the business at risk
Website User:
– Warning error messages displayed by browsers when visiting the site
– Personal information at risk from man-in-the-middle attacks
– Individual susceptible to fraud and identity theft
How a Browser Displays Expired SSL Certificates
Browser Name – Google Chrome
Browser Name – Mozilla Firefox
Browser Name – Internet Explorer
As you can see the warning messages vary from browser to browser and these inconsistencies may cause end users to simply click through the error messages without fully reading or understanding the actual message itself. We highly recommend that all warning messages are read and responded to appropriately, as opposed to automatically ignoring the message and clicking through to the site.
If you are unsure about the implication of the warning, click the explanatory links such as “Help me understand” or “Learn More”. These links provide important details that can assist in the decision making process. A large field study discussing browser warning effectiveness is available from Berkeley University, California Titled: Alice in Warningland.
Protect your website and visitors
“Until US Congress resumes services it is inevitable that we will see expired certificates and this example just goes to show how vulnerable organisations who are susceptible to shutdown can be” said GlobalSign’s Managing Director, Paul Tourret. “We predict that over 600 SSL Certificates currently securing a .gov domain due to expire in October will be potentially affected. To minimise the impact, current automated SSL Certificate lifecycle management tools can help in terms of best practice when managing SSL reliance during unforeseen outages”.
Government websites are independently relied upon by the public and today are seen as prime targets for cyber-attacks; therefore it is important to ensure that critical national infrastructures retain adequate management systems to eliminate risk, whilst encouraging website visitors to react appropriately to potential vulnerabilities.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.