Originally Posted by Sheldon Malm
Cruising online today, I came across an expired certificate on LinkedIn – the social networking site that most of us are at least familiar with. I’ve been speaking to the folks over at sslfail.com throughout the day and suspect they’ll be posting some description and screen shots shortly.
Fortunately, Firefox detected the expired cert. Unfortunately, this is further evidence that trusted online sites are still not taking their certificate management responsibilities seriously.
When I’ve talked to people about the mismanagement of certs in the past, it’s usually met with a yawn: “who cares, the certificate is expired”. The problem is that this kind of mismanagement trains people to ignore legitimate warnings. When a real issue does happen, with someone maliciously intercepting data, this lack of diligence leads people to assume that Firefox is spitting white noise. That’s the opposite of what we’re supposed to be doing to educate and reinforce a security mindset in the general public.
By the time you see this, LinkedIn likely will have resolved the issue. While this might demonstrate some level of responsiveness on their part (assuming that they get it cleaned up quickly), responsiveness is no replacement for tracking 90/60/30 days to expiry and keeping their operational house in order.
Makes you wonder how many security professionals clicked “I Understand the Risks” without blinking this morning.