Cert expired - ssl still working - whats the risk?

[fpjr843]

Looking for some feedback from the folks here that I can give to senior
managment.
My employees use a web-based application that is hosted by one of our
partners. Staff enter confidential and sensitive information on this web
site. Yesterday the digital certificate expired and the site administrators
are not reacting very quickly to get it renewed. I, as "big I.T. security",
have blocked my employees from accessing the web site. But now the manager
of the program is painting me as the stronghanded big brother. Its stopping
productivity and business flow. I realize that even though the cert expired
SSL is still working and encrypting the data. My sense is the only thing
lost by not having a valid cert is the ability to know for sure what web site
we are talking to. So what do you all think? Did I do the proper thing by
blocking access or should I relax a little?

 

[Alun Jones]

"fpjr843" <fpjr843@discussions.microsoft.com> wrote in message
news:F4ED5152-9565-4955-B06E-FE267693510C@microsoft.com...
> Looking for some feedback from the folks here that I can give to senior
> managment.
> My employees use a web-based application that is hosted by one of our
> partners. Staff enter confidential and sensitive information on this web
> site. Yesterday the digital certificate expired and the site
> administrators
> are not reacting very quickly to get it renewed. I, as "big I.T.
> security",
> have blocked my employees from accessing the web site. But now the
> manager
> of the program is painting me as the stronghanded big brother. Its
> stopping
> productivity and business flow. I realize that even though the cert
> expired
> SSL is still working and encrypting the data. My sense is the only thing
> lost by not having a valid cert is the ability to know for sure what web
> site
> we are talking to. So what do you all think? Did I do the proper thing
> by
> blocking access or should I relax a little?

SSL provides a few key things:
1. Authentication of the server - a guarantee that the host of the site has
proven to the satisfaction of an entity you trust that they are entitled to
host that site.
2. Encryption of data. [Yes, this can be disabled, but that's generally
something only a developer would do when testing.]
3. Integrity of data - from start to finish, no data has been dropped or
re-ordered, and that the finish itself is the true finish of the data, and
it hasn't been truncated by an attacker forging a closure.
4. Optional authentication of the client.

So, yes, you have lost item 1, because the host has not been able to prove
its identity recently enough to satisfy the CA's requirements for regular
re-identification. If you're on an internal system accessing another
internal system through an internal network with addresses provided by
internal DNS servers, then you probably have little to worry about. [If that
doesn't sound like a ringing endorsement, it's deliberate.]

But what else do you lose, if you give your employees instructions on how to
ignore the security message and simply click through?

You will lose your employees' cooperation in the security of your system.

You will have _trained_ your employees that it's acceptable to ignore a
security warning, and to simply click straight through it.

You will have also trained your IT department that renewing of certificates
is not an important task, and can be deferred, because "everyone just clicks
through anyway".

It's not the technical issue that is your biggest problem, right now, it's
the fact that you're being asked to tell your users and your staff that
security warnings are unimportant and can be ignored. That's an awareness
campaign that will take hundreds of expensive security awareness posters and
training sessions over several years to counteract, if you ever can.

Alun.
~~~~

 

[Brian Komar]

What is your written security policy (sorry not yours, the organization's).
If the policy states that the site must be protected by a valid SSL
certificate, then you are in the right.
If the policy states that data must be encrypted over the wire, then you
could interpret this as still being valid.
You are right that the problem should be fixed (it is a bad idea to get
users thinking that the warning box should be ignored).
You could be on DNS attack away from users connecting to a rogue site and
inputting confidential information

Brian

"fpjr843" <fpjr843@discussions.microsoft.com> wrote in message
news:F4ED5152-9565-4955-B06E-FE267693510C@microsoft.com...
> Looking for some feedback from the folks here that I can give to senior
> managment.
> My employees use a web-based application that is hosted by one of our
> partners. Staff enter confidential and sensitive information on this web
> site. Yesterday the digital certificate expired and the site
> administrators
> are not reacting very quickly to get it renewed. I, as "big I.T.
> security",
> have blocked my employees from accessing the web site. But now the
> manager
> of the program is painting me as the stronghanded big brother. Its
> stopping
> productivity and business flow. I realize that even though the cert
> expired
> SSL is still working and encrypting the data. My sense is the only thing
> lost by not having a valid cert is the ability to know for sure what web
> site
> we are talking to. So what do you all think? Did I do the proper thing
> by
> blocking access or should I relax a little?

 

[James Matthews]

Only if you trust the site

--

http://search.goldwatches.com/
http://www.jewelerslounge.com/
"fpjr843" <fpjr843@discussions.microsoft.com> wrote in message
news:F4ED5152-9565-4955-B06E-FE267693510C@microsoft.com...
> Looking for some feedback from the folks here that I can give to senior
> managment.
> My employees use a web-based application that is hosted by one of our
> partners. Staff enter confidential and sensitive information on this web
> site. Yesterday the digital certificate expired and the site
> administrators
> are not reacting very quickly to get it renewed. I, as "big I.T.
> security",
> have blocked my employees from accessing the web site. But now the
> manager
> of the program is painting me as the stronghanded big brother. Its
> stopping
> productivity and business flow. I realize that even though the cert
> expired
> SSL is still working and encrypting the data. My sense is the only thing
> lost by not having a valid cert is the ability to know for sure what web
> site
> we are talking to. So what do you all think? Did I do the proper thing
> by
> blocking access or should I relax a little?

 

[why not?]

get the manager of the programme to accept full responsibility for any
issues arising because of your concerns (but I bet they won't).

Get this in writing - see how quickly it is resolved


"James Matthews" <jamesmatt18@gmail.com> wrote in message
news:2DDF9814-9FF6-468A-979F-205700AFE7B1@microsoft.com...
> Only if you trust the site
>
> --
>
> http://search.goldwatches.com/
> http://www.jewelerslounge.com/
> "fpjr843" <fpjr843@discussions.microsoft.com> wrote in message
> news:F4ED5152-9565-4955-B06E-FE267693510C@microsoft.com...
>> Looking for some feedback from the folks here that I can give to senior
>> managment.
>> My employees use a web-based application that is hosted by one of our
>> partners. Staff enter confidential and sensitive information on this web
>> site. Yesterday the digital certificate expired and the site
>> administrators
>> are not reacting very quickly to get it renewed. I, as "big I.T.
>> security",
>> have blocked my employees from accessing the web site. But now the
>> manager
>> of the program is painting me as the stronghanded big brother. Its
>> stopping
>> productivity and business flow. I realize that even though the cert
>> expired
>> SSL is still working and encrypting the data. My sense is the only thing
>> lost by not having a valid cert is the ability to know for sure what web
>> site
>> we are talking to. So what do you all think? Did I do the proper
>> thing by
>> blocking access or should I relax a little?
>