> That explains why one of my IoT vendors is using an expired certificate.

I don't think so. There was a dip in success rates for 90 minutes today, but nobody should be renewing their certificate within 90 minutes of expiration. If you're at that point, something went wrong weeks ago.

There are reasons browsers do things the way they do.

Experience and user studies have shown that users have a hard time decoding what error messages mean. "This certificate is expired, but only for a little while" isn't meaningful for people who don't have a mental model of what a certificate is.

Furthermore, "downgrading" warnings increases the incentive to ignore issues, potentially causing more problems down the line.

> I wish Firefox would just give a mild warning for a recently expired certificate

Nope, if the SSL industry continues to insist on increasingly short cert lifetimes then I want Firefox to give no quarter when a cert expires.

Play by their rules and fall by their rules too.

But it's only the extreme warning that alerts the website (usually via a customer complaining) that the cert hasn't been renewed. Having the lesser warning just kicks the can down the road.

The IoT should have updated the certs weeks in advance. If they haven't done it by day 0 then their process is broken and delaying the scary warning to say day +5 won't solve anything.

omg new tom7!