Hacker News new | ask | show | jobs
by starttoaster 592 days ago
edit: Misinformation, the below user is mostly correct. It IS still less secure than a properly validated TLS connection though.

The certificate is expired, your traffic to and from that site is not encrypted. If it were the case that your traffic could still be encrypted, what would even be the point of expiring the certificate?

You're correct that you can still access it, over an unencrypted connection, however.
1 comments
BenjiWiebe 592 days ago
An expired certificate still encrypts your traffic. You might have to change settings or click through a scary warning in your browser, but other than that a certificate doesn't magically quit working as soon as it expires. The expiration date is arbitrary.
link
starttoaster 592 days ago
You are correct, I had to do a bit of research. Because Chrome even explicitly states that traffic to a site with an expired certificate is unencrypted. But I guess that's mostly to scare you, because the truth is that it just opens you up to potential MitM attacks and other similar issues with regular ole HTTP, but traffic between you and an unverifiable identity is at least TLS encrypted.
link
yarg 592 days ago
> Because Chrome even explicitly states that traffic to a site with an expired certificate is unencrypted.

If that's the case, then Google's condescension is doing a disservice to its users.

link
BenjiWiebe 591 days ago
(Tested with Chromium, at https://expired.badssl.com) It says "Not Secure" on the left side of the address bar. It says "Privacy error" as the tab title. And then the body of the page:

<bold>Your connection is not private</bold> Attackers might be trying to steal your information from expired.badssl.com (for example, passwords, messages, or credit cards). Learn more about this warning net::ERR_CERT_DATE_INVALID

link