[billpg]

I wonder if browsers should for (say) a week after a cert has expired, show an error so alarms are raised, but allow the dialog to be dismissed with an OK instead of all the "Confirm Security Exception" that would go on for a more serious cert rejection.

[userbinator]

I think the real problem is that, by assuming users won't read error messages carefully, and making them shorter/less informative as a result, we've been implicitly encouraging this behaviour, leading to even less attention paid to the messages, etc. and the vicious cycle continues.

The original argument was that seeing error messages often will make users ignore them, but I don't think certificate errors should be very common now. Either way, I think we should be encouraging users to read error messages more carefully. Maybe the Yes/No buttons on the dialog should be put in a random order, and the question randomly flips between "Do you want to proceed?" and "Do you want to abort?"... adding a "learn more" option would be a good idea too.

[DangerousPie]

I like this idea. At the moment there is nothing that differentiates a "this cert expired yesterday" warning from a "someone is MITMing your connection" warning, at least not for the casual user.

And since the former is (sadly) pretty common, this only teaches people that these warnings are not that unusual, and can safely be overridden.

It would be much better to have one "the server admin forgot to renew his certificate" type of warning and another "a totalitarian regime is trying to spy on you" type of warning...

[mijndert]

And because of this I overheard someone say "I just click Okay because else the website won't load!".

[ins0]

That is by far not the job of a browser to remind server administrators to renew there certs and display that message to random users.

[billpg]

Alas, in this imperfect world, phone calls from random users are how server admins are notified of cert expiry.

[Piskvorrr]

...where a 10-line cron script would have done the same job, in advance.

[_ea1k]

And then the cron job (that only needs to work every few years) breaks and you find out about it after the fact when a user complains.

[Piskvorrr]

Needs to work every few years for each domain. Unless all your certificates expire at the same time (or you only have a few), this will be triggered a few times per year.

And moreover, your scenario is essentially "worst case: fall back to previous behavior." That's not too bad...

[ins0]

In this "imperfect" world nowadays eveyone try to ship his responsability to someone else.

[billpg]

I'll wait for someone else to respond to your comment.

[drinchev]

I don't agree. If this happens, same rule should apply for domain name expiration.

[ikeboy]

You just made me wonder what happens if you have a cert but let the name expire. Can you MITM your old domain until the cert expires?

[icebraining]

Sure, if you can get the client to connect through your machine.

[ikeboy]

If that's the case, shouldn't all certs only be valid until the domain expires, and all domain name sales should require revocation of all certs?

[icebraining]

Sure, but how do you enforce the latter?

[ikeboy]

The latter can't be enforced, but individual buyers can demand that for all known certs.

And I think you can currently get certs expiring later than the domain, which seems wrong to me. Is there a good justification for that?

[lucb1e]

That's actually not a bad idea.

[mijndert]

That shouldn't be default behaviour in any browser but rather a plugin that you can install that gives the notification. Preferably with a whitelist of websites that I want to get notifications of.

[ikeboy]

In chrome, if I click "advanced", it tells me that it's expired, and how long ago.