httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From matt.fa...@gmail.com
Subject Re: [users@httpd] How does Apache handle expired server certificate and expired CAroot certificate?
Date Thu, 16 Oct 2008 10:00:06 GMT
The identity of the certificate might not be verified, but it still does the encryption if
the user is prepared to t
Make atrust exception.

It would not be a good idea to pull off an expired cert without replacing it with a valid
one as the reason for the cert is in most cases to force sensitive http data to travel over
SSL. 
I would prefer no data than insecure transmission, developers and admins have overconfidence
in SSL and get lazy, there would doubtless be many security holes that would be exposed while
operating in plain text (no SSL) mode, which would make excellent spring boards for later
attack. (Passwords sent in the URL, persistent session identifiers etc...)

Matt Farey


Sent from my BlackBerry® wireless device
Mime
View raw message