Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> If it says the certificate for your bank is expired, you need to stop.

No I don't. At least not if it's recent. A certificate that expired in the last month is roughly equal in safety to a certificate that's valid for another month or two.

Expiration is a backup safety measure and the risk is mostly based on how long it's been since the certificate was issued.

Unless any banks are going around leaking keys right after they expire for some weird reason?



Err what? That certificate may well have been leaked, but because it expired the bank doesn’t not consider it an issue, no need to revoke it.

Certificate validity is binary. either it all is, or it isn’t. this included “not before”


Not only that, banks are generally pretty diligent about that sort of thing and have enough customers and resources that if their website is misconfigured someone is going to report it immediately and they're going to fix it immediately. Which means that a certificate error on a bank site is suspicious.

Whereas a certificate error on a disused blog is pretty much what you'd expect from a disused blog.


We scream at the expired certificate, yet happily let CloudFlare be an official MitM. How ironic is that? :)


The chance that happened is pretty low. What kind of breach gets old keys but nothing else of note?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: