The Dangers of SSL Certificate Expiration

By   ISBuzz Team
Writer , Information Security Buzz | Nov 22, 2013 01:29 am PST

SSL expiration has been making headlines lately with Netcraft recently reporting over 200 certificates have expired in relation to the US government shutdown.  With many people wondering “What’s the big deal?” we wanted to examine why expiration is important and outline how it affects both website owners and website visitors

Consequences of Expired SSL

Unlike some services that renew automatically until specifically cancelled, SSL Certificates have a set expiry date. Letting an SSL Certificate expire can have a number of consequences for the website owner and also for the end user.

Website Owner:

– Reduction in trust as the site becomes unsecure
– Decline in sales and revenue with increased shopping basket abandonments
– Corporate brand and reputation adversely affected putting the business at risk

Website User:

– Warning error messages displayed by browsers when visiting the site
– Personal information at risk from man-in-the-middle attacks
– Individual susceptible to fraud and identity theft

How a Browser Displays Expired SSL Certificates

Browser Name – Google Chrome

Browser Name – Mozilla Firefox

Browser Name – Internet Explorer

As you can see the warning messages vary from browser to browser and these inconsistencies may cause end users to simply click through the error messages without fully reading or understanding the actual message itself.  We highly recommend that all warning messages are read and responded to appropriately, as opposed to automatically ignoring the message and clicking through to the site.

If you are unsure about the implication of the warning, click the explanatory links such as “Help me understand” or “Learn More”.  These links provide important details that can assist in the decision making process.  A large field study discussing browser warning effectiveness is available from Berkeley University, California Titled: Alice in Warningland.

Protect your website and visitors

“Until US Congress resumes services it is inevitable that we will see expired certificates and this example just goes to show how vulnerable organisations who are susceptible to shutdown can be” said GlobalSign’s Managing Director, Paul Tourret. “We predict that over 600 SSL Certificates currently securing a .gov domain due to expire in October will be potentially affected.  To minimise the impact, current automated SSL Certificate lifecycle management tools can help in terms of best practice when managing SSL reliance during unforeseen outages”.

Government websites are independently relied upon by the public and today are seen as prime targets for cyber-attacks; therefore it is important to ensure that critical national infrastructures retain adequate management systems to eliminate risk, whilst encouraging website visitors to react appropriately to potential vulnerabilities.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x