Expired Certificate 1

[tnsbuff]

Hi,

The hosting service I use has been displaying an expired certificate since December 2 when someone tries to use the checkout, and also when I try to login to my account. I have contacted them twice about this, but nothing is being done.

How much of a security threat is it that the certificate has expired? I know that the customer service aspect is unacceptable and I would change to a different host immediately if not for the e-commerce setup being used on their server. (It would be quite a lot of work to change to different e-commerce solution on a different host.)

My primary concern is the security of my customers' data, and also the loss of sales that I'm sure this has caused. Does this mean that the data is no longer secure?

Thanks for any suggestions/advice anyone can offer.

 

[sleipnir214]

SSL is set up using asymetric encryption, like PGP. You use one key to encrypt the data and another to decrypt it.

When you set up SSL on a web server, you generate your own keys. They're usually good forever.

But PKI systems include a key trust system. They deal with the question, "How do I know that the key I've been given is actually for the entity I want to get data from?"

Organizations like Verisign or Thawte (actually now the same organization) sign encryption keys. The assumption is that through the verification they do of the identity of an SSL site's operator, they can be trusted to state authoritatively that a key is valid for a particular site.

All that has happened is that Thawte's signature on your key has expired. The data is still being secured, it's just that no browser can implicitly trust the key any more.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[tnsbuff]

Thanks sleipnir214, but then how do I know if the key can be trusted if they've allowed the certificate to expire and seem to be unwilling to renew?

My customers don't know that their data is still secure. All they see if a big Security Warning saying that the certificate has expired, which doesn't instill a lot of confidence.

 

[sleipnir214]

In terms of trust, I was only talking about trusting the signatures of Thawte or Verisign.

Only you can decide whether to trust your hosting provider. I don't know the procedures they have for renewing a certificate and if you have followed those procedures. Also, getting an SSL key signed costs money and I don't know whether you've paid those fees or not.





Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[tnsbuff]

Hi,

It is a shared certificate using the host's secure server. I'm not paying for it. I think the issuer is Comodo. Are they reputable?

 

[sleipnir214]

The problem will not be with the certificate signing authority. It's with your hosting provider.

And if the hosting provider is using a shared certificate, then everyone on that server is having problems with the expired signature.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[tnsbuff]

Yes, this is my point. I have contacted the host twice about it. They say they are looking into it, but it still has not been renewed.

:-
So, I guess what it comes down to is that if the host doesn't renew the certificate ... quickly, then my site loses credibility, which is unacceptable, even if the data is still technically secure.

Right?

Thanks for your help.

 

[sleipnir214]

You are correct. The use of an expired certificate can have deleterious effects on your site.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!