[Dshield] Digital certificates

Clement Dupuis cdupuis at cccure.org
Fri Oct 22 12:59:58 GMT 2004

It also depends on what you client site looks like and is use for.  Is it
strictly an informational site or are they conducting ecommerce on the site
as well. What type of traffic do they get, what is their level of trust with
their own clients?

Myself I would be reluctant to buy anything on a web site where my browser
tells me that the certificate is expired.  I would even be worried when I
connect to a web site where I get a popup saying the certificate is expired.
It does not give you a high sense of trust.

Knowing how development project goes, your month or so could become a few
months or so.  Is it acceptable for them to tell their client that they care
so much about them that they will not even prove without a doubt they are
who they pretend to be.  It is also a question of image.

You might want to look at some of the cheap alternative such as Geotrust or
others that do not cost as much as a Verisign, Thawte, or any of the big
guys to fill in the gap in the meantime. Such a certificate will cost you
probably $150 or less and It would look a lot more professional than having
a warning that pops up.


Clement Dupuis, CD
cdupuis at cccure.org
The Professional Security Testers Warehouse


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Alan Frayer
Sent: Thursday, October 21, 2004 8:52 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Digital certificates

On Thu, 2004-10-21 at 03:38, Stephane Grobety wrote:

> AF> What is the effect of an expired certificate, both on the hosting site
> AF> and on the browser that encounters it?
> Well, the question, as such, doesn't make a whole lot of sense. The
> only meaningful answer would be: it depends what you use the
> certificate for, why you sign with it. what software you used to
> sign and verify that signature and how you have setup these programs.

Yes, I could have been more specific. Our client uses a certificate to
provide security in an SSL credit card transaction. They are in the
process of building a new web site, using a different host and the
certificate on the current host may expire before the new site is ready.
Rather than recommend paying to renew a certificate which will only be
needed for a month or so, I'm contemplating a recommendation to leave
the expired certificate in place, and to notify anyone who inquires
about the upcoming site change. I just wanted to be sure such a
recommendation wouldn't "break" the site.

Alan Frayer, CNE, CNI, CIW CI, MCP, Net+ - afrayer at frayernet.com
Member: Independent Consultants Association (ICA)
Consultants - FREE Directory Listing - http://www.ica-assn.org

DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list