cert expired - worry or not?

G

Guest

Looking for some feedback from the folks here that I can give to senior
managment.
My employees use a web-based application that is hosted by one of our
partners. Staff enter confidential and sensitive information on this web
site. Yesterday the digital certificate expired and the site administrators
are not reacting very quickly to get it renewed. I, as "big I.T. security",
have blocked my employees from accessing the web site. But now the manager
of the program is painting me as the stronghanded big brother. Its stopping
productivity and business flow. I realize that even though the cert expired
SSL is still working and encrypting the data. My sense is the only thing
lost by not having a valid cert is the ability to know for sure what web site
we are talking to. So what do you all think? Did I do the proper thing by
blocking access or should I relax a little?
 
A

Allan

fpjr843 said:
Looking for some feedback from the folks here that I can give to senior
managment.
My employees use a web-based application that is hosted by one of our
partners. Staff enter confidential and sensitive information on this web
site. Yesterday the digital certificate expired and the site
administrators
are not reacting very quickly to get it renewed. I, as "big I.T.
security",
have blocked my employees from accessing the web site. But now the
manager
of the program is painting me as the stronghanded big brother. Its
stopping
productivity and business flow. I realize that even though the cert
expired
SSL is still working and encrypting the data. My sense is the only thing
lost by not having a valid cert is the ability to know for sure what web
site
we are talking to. So what do you all think? Did I do the proper thing
by
blocking access or should I relax a little?
Click to expand...
You have stated that the information is "confidential and sensitive", which
is the reason you are using a secure connection. If the certificate is
expired the site administrator cannot authenticate the site and therefore
you are correct; simply stop sending data to the site until it is fixed. The
alternative is that your company could be audited and found to be in breach
of accepted security practices. Even worse, you could be sued by third
parties for negligence.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

can't get new or renew certs from exchange only after root ca cert expired 2
Internet Explorer is NOT to blame for the Flash advertisement problem !! 1
Whether to get Win XP Home or Pro 8
The Man Who Spilled the Secrets =haxored 5
How To Get 1 Million Visitors Without Paying A Dime In Advertising 0
*How MSFT *Deliberately, Arrogantly, Egregiously, and Totally* Fails to Support their Products* 14
"Release Candidate?" Vista is not even close. 58
History of Xbox 360 defects - Dean Takahashi has the inside story(long) 2

Top