I had a call from a head-hunter this morning, and I was fairly sure he was sounding me out for a Symantec job. So I went over to the Symantec careers web site to confirm my suspicions, only to have Firefox advise me to “Get me out of there“.
Now I certainly don’t expect careers advice from Firefox, neither am I trying to pick a fight with Symantec, their office is literally opposite ours in California (although you know if it came to a rumble how it would turn out). Plus, I hear it’s a great place to work anyway :)
What has actually happened is that the site certificate had expired and not yet been renewed and that is why it shows as invalid. To some extent computer certificates function similar to passports. They are issued by a trusted central authority, normally only valid for a certain period of time and need to be renewed.
In technical terms, an expired certificate does not affect the functionality of the website, secure connections can and will still be made. Clearly it doesn’t reflect too well on the site’s owner in terms of process, and there is a risk that something untoward may be happening, but it’s relatively minor. The risk is in the fact that when a certificate is expired, then the issuer of that certificate – the Passport Authority if you like – may no longer maintain details on whether that certificate has been revoked (a much more serious state of affairs) and if so for what reasons.
There is however a wider message to this. The real problem, as evidenced by a study at Carnegie-Mellon University presented last week at the Usenix Security Symposium 2009 is that the vast majority of internet users think that SSL warnings like this are of little consequence. This is partially because they see them on legitimate websites, and have been conditioned to accept the risk and click through and partially because the error messages presented by the leading browsers very often present the user with information they do not understand and then ask them to make a decision they don’t have the resources to make.
Below is the same error with the “Technical Details” and “I Understand the Risks” sections expanded. I think it’s fair to say that if I asked my mum to explain what it meant, she would offer to go and make me a cup of tea instead. To be fair, how many users even read the messages before deciding to ignore them?