[Dshield] Digital certificates

Stephane Grobety security at admin.fulgan.com
Fri Oct 22 14:37:26 GMT 2004


AF> Our client uses a certificate to provide security in an SSL credit
AF> card transaction. They are in the process of building a new web
AF> site, using a different host and the certificate on the current
AF> host may expire before the new site is ready. Rather than
AF> recommend paying to renew a certificate which will only be needed
AF> for a month or so, I'm contemplating a recommendation to leave the
AF> expired certificate in place, and to notify anyone who inquires
AF> about the upcoming site change. I just wanted to be sure such a
AF> recommendation wouldn't "break" the site.

Thank you for the details.

I'm afraid that the answer to your question is: "yes, it will break
the site". It won't break it much: users will still be able to get
trough if they accept the security issue but you have several things
to take into account:

1/ The insurance that comes with the certificate will not be valid any
more and you won't be able to turn against the certificate provider if
someone somehow uses it to mount a MIM attack. This is of particular
concern since the people that have the ability to mount such an attack
(network admin at your site and people at the CA) are also the ones
that are also the ones that will know about the problem.

2/ It lowers the "security feeling". I, for one, would always advise
users to refuse any connection that uses an invalid certificate
whatever the reason. Users usually can't be trusted with making the
right choice in that matter. I wouldn't use it either since it would
show that the price the operator of the web site puts on securing it's
data properly is the price of a SSL certificate renewal (i.e. a few
hundred $). Weighted against the amount that can be pulled from my
credit card should it be leaked, I would rather use a different
supplier or use a different payment method, if no other supplier is
available.

So, you have a few options:

1/ Change the hostname before the new site is ready and then simply
switch the servers when you're done. Of course, you can't always do
that (if you're using two different hosting providers, do not have
control over the DNS and if the providers aren't willing to help you
for an acceptable price, for instance).
2/ buy a wildcard certificate. They are quite a bit more expensive
than the regular ones, but you can run two (or any number of) hosts
with the same certificate (i.e. "https://new.domain.com" and
"https://old.domain.com" will use the same certificate and signature).
3/ Bit the bullet and pay for the renewal. You might want to call your
CA to ask them if they could offer you a discount on that particular
cert but knowing how theses sharks are, I very much doubt that you'll
get anything. Still, it's worth trying. And if it doesn't work, it
should still be pretty cheap compared to your site's reputation and
the cost of developing a whole new shopping web site.

Good luck,
Stephane





More information about the list mailing list