logoalt Hacker News

dingalingtoday at 5:25 AM2 repliesview on HN

> I wish Firefox would just give a mild warning for a recently expired certificate

Nope, if the SSL industry continues to insist on increasingly short cert lifetimes then I want Firefox to give no quarter when a cert expires.

Play by their rules and fall by their rules too.

Replies

mannyvtoday at 5:48 AM

Certificate expiry is less severe than an untrusted issuer or a host mismatch.

The former is most likely an administrative error (ie: someone forgot to renew, or the auto-renew is failing). The latter is more likely to be an MTM attack.

I'm not sure how you would use an expired cert as an attack vector. By loading in an old cert into an expired domain so you could spoof older content?

show 2 replies
MobiusHorizonstoday at 5:43 AM

How does that help? Seems like mostly the end user suffers.