Hacker News new | past | comments | ask | show | jobs | submit login

You are correct, I had to do a bit of research. Because Chrome even explicitly states that traffic to a site with an expired certificate is unencrypted. But I guess that's mostly to scare you, because the truth is that it just opens you up to potential MitM attacks and other similar issues with regular ole HTTP, but traffic between you and an unverifiable identity is at least TLS encrypted.



> Because Chrome even explicitly states that traffic to a site with an expired certificate is unencrypted.

If that's the case, then Google's condescension is doing a disservice to its users.


(Tested with Chromium, at https://expired.badssl.com) It says "Not Secure" on the left side of the address bar. It says "Privacy error" as the tab title. And then the body of the page:

<bold>Your connection is not private</bold> Attackers might be trying to steal your information from expired.badssl.com (for example, passwords, messages, or credit cards). Learn more about this warning net::ERR_CERT_DATE_INVALID




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: