People do understand that the certificate expiring does not affect security or encryption in any way, right? All it means is that some registrar wants to be paid now?
1. User visits site. Gets warned about expired certificate. Tells browser to go ahead and ignore the error.
2. Later, user visits site again. This time, though, someone is doing a MITM or DNS hijack. User gets warning about certificate not matching domain. User thinks it is just the expired warning, and so tells the browser to ignore it.
"Secure" is a whole system property. The whole system includes the users and their expectations. An expired certificate changes user expectations.
1. User visits site. Gets warned about expired certificate. Tells browser to go ahead and ignore the error.
2. Later, user visits site again. This time, though, someone is doing a MITM or DNS hijack. User gets warning about certificate not matching domain. User thinks it is just the expired warning, and so tells the browser to ignore it.
"Secure" is a whole system property. The whole system includes the users and their expectations. An expired certificate changes user expectations.