Full Disclosure: Re: Expired certificate

Re: Expired certificate

From: Junk Meat <junkmeat () goshawn com>
Date: Fri, 16 Jul 2010 14:31:27 -0400

Your right Dan, encryption still does take place.  However, its hard to 
understand why renewing
a certificate would take so long.  It should take no longer then 1/2 
hour to receive a renewed
ssl cert from a certificate authority in my opinion and maybe a few 
minutes to push it out depending
on the device that is publishing the cert.

You should tell them that your security policy prevents you from making 
a secure ftp transfer to a third
party with an expired certificate that contains non-public information 
and see how fast they renew
their certificate.

Basically you are now taking responsibility for any breach in the slight 
chance that anything does
happen (man-in-the-middle, or otherwise) because you now know about the 
problem.  Have them
acknowledge the expired ssl certificate on their end and sign-off on any 
potential litigation that may
result if a breach does happen to occur.

-Shawn Dermenjian


On 7/16/2010 1:10 PM, Daniel Sichel wrote:

OK, I am in the Golden state (California) where things are not so golden
at the moment.
I deal with a state agency and use their "secure" ftp site.
Their certificate has expired and won't be renewed for a few weeks, but
they want me to continue to ftp stuff
Using their expired cert.

So, as a relative n00b,  what are the risks?

Does it still encrypt even though, obviously, it can't be verified?

My guess is that this still encrypts, but there is no authentication,
possibly creating a man in the middle opportunity for some
Nefarious person with evil intent (nobody I know, or who is on this
list, of course).


Anyway, any info would be welcome from the cognoscenti who subscribe
here.

Thanks,
Dan Sichel

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Expired certificate Daniel Sichel (Jul 16)
- Re: Expired certificate Larry Seltzer (Jul 16)
  - Re: Expired certificate Dimitry Andric (Jul 16)
    - Re: Expired certificate Valdis . Kletnieks (Jul 16)
    - Re: Expired certificate Jan Schejbal (Jul 21)
    - Re: Expired certificate Ryan Castellucci (Jul 23)
- Re: Expired certificate Junk Meat (Jul 16)
  - Re: Expired certificate bk (Jul 16)
    - Re: Expired certificate Junk Meat (Jul 16)
    - Re: Expired certificate bk (Jul 16)
    - Re: Expired certificate Junk Meat (Jul 17)
    - Re: Expired certificate Dan Kaminsky (Jul 17)
    - Re: Expired certificate Pavel Kankovsky (Jul 18)
    - Re: Expired certificate Marsh Ray (Jul 20)
    - Re: Expired certificate Dan Kaminsky (Jul 23)
    - Re: Expired certificate Marsh Ray (Jul 23)
    - Re: Expired certificate Dan Kaminsky (Jul 23)

(Thread continues...)