outdated ssl cert
Craig White
craigwhite at azapple.com
Sat Jan 16 17:21:25 UTC 2010
On Sat, 2010-01-16 at 17:59 +0100, Vadkan Jozsef wrote:
> what does a self-signed outdated ssl cert worth? [https]
>
> could it be tricked [https] in a way, that the end user will not
> recognize? [e.g. he already accepted the cert one time, and the browser
> would warn her, if it been ""attacked""?]
>
> ..I mean does an outdated self-signed certificate give the same security
> as a normal cert?
----
whether 'expired' or 'current', a self-signed certificate offered by a
web server only has worth if you trust the signer of the certificate and
you have reason to believe that the certificate being offered is indeed
the one signed by whoever you believe worthy of the trust. If the
certificate is expired, it is certain to generate a warning every time
you encounter it.
I use self-signed certs all of the time - I trust myself. I have to
convince other users to trust the certificates that I sign.
The browser only sees the certificate and knows whether it has been
signed by an already trusted certificate authority. Some certificate
authorities are out of the box trusted by your web browser. Many are
not.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the users
mailing list