Expired Certificates, browser warnings and OCSP

I hope you read my last post on the bad advice that some sites give their users. As a follow up, I thought it would be useful to highlight what some of the errors you might see online actually mean, and what is happening in the background to keep you safe and secure.

First of all let me explain what happens with the some of the security warnings you might see in your web browser when an SSL certificate has expired. When you visit a site and initiate a secure session (such as logging into your webmail), the server hosting that site presents your browser with an SSL certificate to verify its identity. This certificate contains different kinds of identity information, including the URL of the website; all of this information has been verified by a third party Certificate Authority (such as Symantec) that your browser trusts. By checking that the address in the certificate matches the address of the website, and by checking that the certificate is still valid, it is possible to verify that you are securely communicating with the website you intended – not an imposter, such as a cybercriminal, intent on stealing your username and password. So if you ever see an image such as the one in my previous blog you should not proceed to the site.

What about a warning screen for a for an SSL certificate which is currently valid and has not expired? The signer of each certificate is responsible for maintaining a revocation list often called Online Certificate Status Protocol (OCSP), formerly the Certificate Revocation List (see here for an explanation of OSCP and SSL Revocation). Why does this matter? Well a few years ago, a Certification Authority (CA) called DigiNotar was fully compromised when an Iranian attacker obtained fraudulent certificates for several dozen Internet domains, including some well-known public webmail and instant messages/voice services, and all the major web browser vendors had to remove all trust from DigiNotar’s CAs.  If people had continued to ignore the browser warnings, they would have had their login information stolen, and any private information or details on those accounts offered up to the evildoers. DigiNotar went out of business, because after the incident no one trusted their certificates If an SSL certificate is ever compromised, the issuer can revoke it, add the domain name to the revocation list, and subsequently browsers will no longer trust that particular certificate for that specific site.

Revocation status is not required to be maintained for expired certificates; perhaps a certificate used to be valid for the website you’re visiting. If you see a notice telling you the certificate has expired, as a consumer you should not proceed past this point and I believe as part of the greater community of trust you should reach out to the business via telephone or email to let them know why you are not logging onto their site.

There are of course a few other reasons why users might see warning messages on websites:

  • The SSL Certificate has not been installed correctly
  • The web browser does not trust the issuing certificate authority (in English)
  • The Website is using self-signed certificate (this means that the certificate root is not trusted by the browser)
  • The website could be infected with malware and a search engine has blacklisted the site

As a business – what you can do to avoid security warnings?

  • Consider using the Qualys server checker tool to verify that you have installed the complete certificate chain correctly, disabled previously vulnerable protocols and ciphers, and confirm all is as it should be with your website’s SSL implementation
  • Set calendar reminders to remind you of the expiry date of your SSL and remember you can renew in many cases as far in advance as 90 days. There is no penalty for renewing early – in fact it’s best practice
  • If you are a larger business and have a number of certificates consider a solution such as Symantec’s Certificate Intelligence Center that monitors and can automate the renewal and management of your Symantec SSL certificates
  • Scan you site for malware and vulnerabilities on a regular basis
  • Don’t forget as a Symantec customer you can reach out to our support team 24×7 to get help on any of these issues

Trust is the lifeblood of commerce and communication online.  We owe it to our customers to ensure that we get it right.

Leave a Reply