outdated ssl cert
Bruno Wolff III
bruno at wolff.to
Sat Jan 16 18:06:01 UTC 2010
On Sat, Jan 16, 2010 at 17:59:32 +0100,
Vadkan Jozsef <jozsi.avadkan at gmail.com> wrote:
> what does a self-signed outdated ssl cert worth? [https]
>
> could it be tricked [https] in a way, that the end user will not
> recognize? [e.g. he already accepted the cert one time, and the browser
> would warn her, if it been ""attacked""?]
>
> ..I mean does an outdated self-signed certificate give the same security
> as a normal cert?
Using https even with certs that don't provide identity assurance, still
makes eavesdropping harder (relative to using unencrypted http). Instead of a
passive attack, you need to do an active man in the middle attack.
Also note that every top level certificate is self signed. What makes some
special to most people is that they are delivered with browsers and
don't generate warnings by default. This may or may not be a useful thing
depending on what you expect them to be doing for you.
More information about the users
mailing list