[lelanthran]

> Security is not something to sacrifice to gain less angry users.

Of course it is - it depends on Capital-C-Context.

Sure, for the bank, the site you are supplying your credit card details, your email, etc - security is non-negotiable.

For hackernews, for reddit, and for similar sites, then security is something to sacrifice, once again depending on context.

I've trusted this certificate for the last 2, maybe 3 years. It's unreasonable to assume that 5 minutes past midnight on the expiry date, the cert turned from "completely trustworthy" to "100% certainty that this is a phish, scam or similar".

We live in the real world. Things happen.

[junon]

I literally just said that I agree the UX is poor. Did you read my comment?

[lelanthran]

> I literally just said that I agree the UX is poor. Did you read my comment?

But I agree with that comment. The one I disagreed with is:

> Security is not something to sacrifice to gain less angry users.

Maybe I should rephrase (I'm a notoriously poor communicator) ...

Sometimes (like in the cases I pointed out), the security messages and warnings must be sacrificed because the practical security either doesn't matter (like hackernews) or hasn't been compromised (like the 5m after midnight example).

[junon]

Swallowing certificate expiration is not acceptable security, no. _Something_ needs to happen. What else is there than warning the user?

That being said, I've never liked how certificates are designed to begin with. They're overly complicated for very little gain IMO.