'Technical issue' - bollocks
it was a management failure - the buck stops with them to ensure that things like this are looked after.
I predict that the blame will land on some lowly techie.
Cloudy service provider Cobweb Solutions has 'fessed up to failing to renew its SSL certificate, leaving a number of its customers potentially exposed. The lack of a protocol for secure communication only came to light after one of Cobweb's customers got in touch to report the issue. Adrian Smith, security consultant, …
Wouldn't be the first time, won't be the last.
It'll be the techie's fault for only having a 1 year cert, for forgetting to remind the manager to renew it, for not raising the P/O, for not doing the managers job and documenting the reminder, for not having something in their calendar to remember the renewal despite the reminder emails going to the manager...
..do I come across as being bitter after being the scapegoat once before myself?
An expired certificate still encrypts data.
If Mr Adrian Smith "Security Consultant" set up systems that allow the customers to bypass SSL, then that ability is there whether the certificate is expired or not - and the level of security has not changed.
While I suppose that it is POSSIBLE for someone to write some sort of client software that would downgrade to clear text should a certificate expire, it would seem to be a rather poor choice for system design. If the data must be secured, then a certificate error should force the connection to fail with no data exchanged.
With no actual details as to the certificate, how it was used, when it was issued, etc. we can only guess as to what happened, but I have more questions about the technical abilities of the consultant than I do about a hosting provider that lets a certificate on a control panel expire. That in turn leads to questions of motivation.
Mr. Smith will now have to justify exactly HOW his customers managed to exchange un-encrypted data even though encryption was available to them.
Such as the calendar reminder not working?
More interestingly, *how* were customers able to then bypass SSL? Are vast parts of their site using http for sensitive data? (Not that El Reg would know anything about it)
In that case they could have done so all along, because an expired SSL cert does not magically open up this possibility.
An expired SSL certificate per se is not a risk. Just a nuissance, because while browsers (and other clients) will raise the red flag, the connection is still encrypted nonetheless.
Expired certificates are not secure for two reasons:
- Certificates that reach their expiry date are routinely purged from certificate revocation lists, therefore you cannot know whether it was revoked;
- Users are trained to click away certificate warnings if people keep claiming that this ok to do.