alexwhite19800
asked on
"There is a problem with this website's certificate"
We have a website, www.mycompany.com/internal
The site uses HTTPS however the certificate has expired.
I know some browsers (IE for example) throw up a prompt and ask the user if they want to proceed (not recommended)
We have another custom browser that just rejects connections to this site altogether.
I'm curious - is that that custom browser doing the right thing? Should we allow users to choose, or should the website owner renew the certificate?
Why does the IE message say not recommended...what's the risk?
The site uses HTTPS however the certificate has expired.
I know some browsers (IE for example) throw up a prompt and ask the user if they want to proceed (not recommended)
We have another custom browser that just rejects connections to this site altogether.
I'm curious - is that that custom browser doing the right thing? Should we allow users to choose, or should the website owner renew the certificate?
Why does the IE message say not recommended...what's the risk?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, most browser deny access where some prompt the user how to proceed giving them the option to ignore the warning and actually proceed to the site anyway.
Others through default settings the option to ask the user might be disabled by default. Access to the configuration is required to change that behavior.
Others through default settings the option to ask the user might be disabled by default. Access to the configuration is required to change that behavior.
As others have pointed out, the danger is that you might be connecting to a website that carries malicious content. The certificate is there to do 2 things: (1) establish a secured (encrypted) connection between the website and the client; and (2) establish the legitimacy of the identity of the holder of the website registration. A properly configured SSL certificate does both of these things by being properly registered with a known certificate-issuing authority and by being current (i.e., not expired). The problem you run into when you get the warning message could be that either one of those conditions doesn't exist. That is, either the certificate is expired, or it was registered by an unknown issuer.
If the certificate is expired, my advice would be not to continue past the warning message. This is why the browser is configured by default to advise you not to continue - that's the safest course given all the possibilities and assuming that the person doing the browsing doesn't know how to determine whether the certificate is legitimate or not.
Your question specified that the website was an internal one. If that's the case it's probably secured by a self-signed certificate which can be easily renewed internally. If it's an external website, then you should advise users against connecting to any external website that's secured by a self-signed certificate.
If the certificate is expired, my advice would be not to continue past the warning message. This is why the browser is configured by default to advise you not to continue - that's the safest course given all the possibilities and assuming that the person doing the browsing doesn't know how to determine whether the certificate is legitimate or not.
Your question specified that the website was an internal one. If that's the case it's probably secured by a self-signed certificate which can be easily renewed internally. If it's an external website, then you should advise users against connecting to any external website that's secured by a self-signed certificate.
ASKER