{"id":3270,"date":"2016-12-09T21:15:25","date_gmt":"2016-12-10T02:15:25","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=3270"},"modified":"2023-04-07T15:19:02","modified_gmt":"2023-04-07T19:19:02","slug":"not-okay-ignore-certificate-warnings","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/not-okay-ignore-certificate-warnings\/","title":{"rendered":"No, It\u2019s Not Okay To Ignore Certificate Warnings"},"content":{"rendered":"<h2>UK Government website tells users to ignore security warning.<\/h2>\n<p>I came across some troubling security advice today, and I wanted to set the record straight: No, you should not ignore certificate warnings in your browser, and no, it is not \u201csafe to continue\u201d past these warnings.<\/p>\n<p>This troubling advice came from <a href=\"http:\/\/www.maidstone.gov.uk\" rel=\"nofollow\">Maidstone.gov.uk<\/a>, the website for the Borough of Maidstone, a district in Kent, England.<\/p>\n<p>Their SSL certificate expired earlier this week, and instead of acquiring and installing a new certificate (which is a basic, routine part of maintaining a website), they published a notice across the top of their page, reading \u201cIf you get a message saying our security certificate has expired when using our forms, it\u2019s still safe to continue.\u201d<\/p>\n<figure id=\"attachment_3272\" aria-describedby=\"caption-attachment-3272\" style=\"width: 975px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3272 size-full\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2016\/12\/CertificateWarnings.png\" alt=\"Certificate Warnings\" width=\"975\" height=\"450\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2016\/12\/CertificateWarnings.png 975w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2016\/12\/CertificateWarnings-300x138.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2016\/12\/CertificateWarnings-768x354.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><figcaption id=\"caption-attachment-3272\" class=\"wp-caption-text\">Maidstone.gov.uk\u2019s terrible security advice, first pointed out by Twitter user @GaryW_.<\/figcaption><\/figure>\n<p>When an SSL certificate expires, they are no longer safe to use, and web browsers display a full-page interstitial warning when they encounter expired certificates.<\/p>\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n<p>Now, certificate expiration happens all the time, and we don\u2019t fault people for that. But encouraging users to ignore warnings? That is downright irresponsible.<\/p>\n<p>First, SSL certificates have an expiration date for a reason. When a Certificate Authority (CA) issues a certificate to a website, it required that the website proved its identity, so to prevent people from getting a certificate for a website they don\u2019t own. The expiration period exists to make sure a website regularly provides this proof, for the same reasons that any important form of ID expires.<\/p>\n<p>Once a certificate expires, a CA is saying that they can no longer attest to the website\u2019s identity. They also stop supporting it, so important factors like revocation status are no longer published. We <a href=\"https:\/\/www.thesslstore.com\/blog\/ssl-certificates-expire\/\">previously gave an in-depth explanation why SSL certificates expire<\/a>.<\/p>\n<p>But the bigger problem is that MaidStone is teaching users that <strong>warnings don\u2019t matter<\/strong>. Someone who reads this advice from Maidstone and clicks through their browser\u2019s warning is going to internalize that advice.<\/p>\n<p>The average user is not going to be able to distinguish between, or make an educated decision about, the various SSL errors they come across. Is it an expired cert that poses relatively little risk? Is it a revoked certificate that has been compromised? Is it a phishing site?<\/p>\n<p>We don\u2019t need to just focus on website security. Many ransomware strains and other malware will use social engineering to trick users into turning security measures off. Some malware distributes itself via macros embedded in Word documents. As Microsoft has tried to counter this problem, malware authors have learned clever tricks, like inserting an image that mimics the Word UI, instructing the user to enable macros to enable \u201cspecial formatting\u201d or \u201cproper display\u201d of the file.<\/p>\n<figure id=\"attachment_3271\" aria-describedby=\"caption-attachment-3271\" style=\"width: 975px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-3271\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2016\/12\/CertificateWarnings2.png\" alt=\"Certificate Warnings\" width=\"975\" height=\"726\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2016\/12\/CertificateWarnings2.png 975w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2016\/12\/CertificateWarnings2-300x223.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2016\/12\/CertificateWarnings2-768x572.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><figcaption id=\"caption-attachment-3271\" class=\"wp-caption-text\">An example of malware that tries to mimic Microsoft Word&#8217;s UI to trick user&#8217;s into turning off security measures.<\/figcaption><\/figure>\n<p>Individual websites cannot act in their own interest at the cost of security as a whole. Everyone needs to be encouraging good security hygiene by abiding by standard procedures, and not encouraging their users to circumvent legitimate security measures.<\/p>\n<p>Every time a legitimate website tells a user to ignore security precautions, it aides malicious actors trying to trick them.<\/p>\n<p>Someone from Maidstone\u2019s team was clearly around to publish that notice on their site, but they could not be bothered to get a new certificate? An experienced server administrator should be able to get a new certificate installed in under an hour \u2013 and SSL providers like us offer 24\/7 support because we know everyone isn\u2019t an SSL expert.<\/p>\n<p>So consider how much care Maidstone.gov.uk has for their users when they can\u2019t take an hour to acquire a new SSL certificate, and think about who might get phished, scammed, or otherwise harmed by applying Maidstone\u2019s bad security advice elsewhere.<\/p>\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n","protected":false},"excerpt":{"rendered":"<p>UK Government website tells users to ignore security warning. I came across some troubling security advice today, and I wanted to set the record straight: No, you should not ignore&#8230;<\/p>\n","protected":false},"author":2,"featured_media":3273,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[288,289,287,161],"class_list":["post-3270","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-browser-warnings","tag-certificate-warnings","tag-ssl-certificate-expired","tag-tls","post-with-tags"],"views":16900,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2016\/12\/iStock-183372397.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/3270","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=3270"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/3270\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/3273"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=3270"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=3270"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=3270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}