Why cannot ignore security alerts associated with SSL-certificates

Be sure to keep in mind the simple truth: in any case it is impossible to ignore the security notices in your browser. Do not assume that clicking on the “Accept” will necessarily lead to the fact that the site opens without any problems.

expiredssl

Some sites even give users tips that you can easily ignore the notification in the browser and accept the certificate, to get to the site. An example of such a site – Maidstone.gov.uk. SSL-certificate has expired for this site a few weeks ago, but instead of buying a new certificate, they just decided to display warning to their users. An example of a statement posted on their website: if you see a message that our certificate has expired, you can click “Continue”, nothing bad will happen.

It should be noted once again: if the certificate has expired, it is no longer safe to use. Browsers will display a warning that the site may pose a threat to users. Of course, the certificates can expire. In this situation is no fault of users. But why push users to take the certificate and continue to use the site? After all, it could eventually lead to the fact that users are accustomed to do so, and will be accept SSL-certificate even on the counterfeit site, bringing their valuable data fall into the wrong hands.

Certificates expire for good reason. When the certification authority produces the certificate issuance for the site, it requires that the site has been tested. Thus, the certificate may be issued only to those users who actually own the website. Validity period is necessary in order to site owners regularly confirm their data. Once the certificate has expired, the certification authority can no longer confirm the correctness of the data site owners.

phished

But this is only part of the problem. The most important thing a misunderstanding – Maidstone gave bad advice to the site users. After all, users can now assume that all the warnings that appear in the browser, do not matter, and they can be simply ignored. The average user does not know the meaning of certain SSL errors and how to be in this situation. Carries whether a high risk of the expired certificate? The certificate has been compromised? The site is made for phishing?

Existing malware used social engineering techniques to trick users. Some viruses are spread through macros Word documents. Microsoft is trying in every way to counter this, but it turns out not always. Virus writers have learned clever tricks urging users to run macros to specify a correct formatting or display images.

Sites must not compromise security in their own interests. To achieve protection, enough to apply the existing procedures, and not to push users to bypass paths. If the site advises users to bypass the warning, it plays into the hands of the creators of malicious software. Is Maidstone site owners have been so difficult to get a certificate? Experienced site administrators can easily get a new certificate and install it on the server. Many stores SSL certificates offer round the clock support and assistance in the installation of certificates, so even housewives can deal with it.

Therefore, the owners of Maidstone site did not care about their users, since they did not have an extra hour to install a new certificate. Bad advice – a road to nowhere. We encourage users to always follow security measures and not to accept SSL-certificates, if you are not sure about a site’s legitimacy.

 

Posted in Browser Errors, Validation, Vulnerabilities Tagged with: , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

All about SSL

This site is dedicated to SSL-certificates. You will learn what is an SSL certificate, how to issue and reissue it. FAQ SSL will be useful for both novices and pros. SSL Knowledgebase contains sections on validation, trust logo, vulnerabilities, SSL-certificates differences by type (Wildcard, EV, DV, etc.), as well as many other things.