Does it matter if a website's security certificate has expired?
August 1, 2006 1:17 AM Subscribe
Does it matter if a website's security certificate has expired?
When I try and buy something online using my Barclay's debit card, I am forwarded to a Verified by Visa page on Barclay's site (not that one, but similar). Now, this seems like a generally useless service, but the other week I was unable to click "skip this step" as I would normally do, and had to sign up. Now, the https://verifiedbyvisa.barclays.co.uk security certificate has expired, and not been replaced since Sunday. Does this mean my transaction is no longer secure? If so, do I just have to twiddle my thumbs and not buy anything until they update?
When I try and buy something online using my Barclay's debit card, I am forwarded to a Verified by Visa page on Barclay's site (not that one, but similar). Now, this seems like a generally useless service, but the other week I was unable to click "skip this step" as I would normally do, and had to sign up. Now, the https://verifiedbyvisa.barclays.co.uk security certificate has expired, and not been replaced since Sunday. Does this mean my transaction is no longer secure? If so, do I just have to twiddle my thumbs and not buy anything until they update?
Your connection is still encrypted and secure, provided the expired cert is still coming from barclays and isn't actually an older compromised one that somebody is using to fool you.
But this is bad form for any sort of financial institution. Call them on it.
posted by beerbajay at 1:44 AM on August 1, 2006
But this is bad form for any sort of financial institution. Call them on it.
posted by beerbajay at 1:44 AM on August 1, 2006
As a site visitor, it doesn't matter. Your connection is still encrypted and just as secure as before. It only matters to site owners, since expired certs cause scary "certificate expired" warnings to popup.
posted by Khalad at 6:15 AM on August 1, 2006
posted by Khalad at 6:15 AM on August 1, 2006
Whilst it's probably just a mistake on the part of Visa, they shouldn't be making mistakes like that. Don't buy anything, but telephone Visa and tell them you are having this trouble.
This looks like Barclays' problem, not Visa's. The certificate for verifiedbyvisa.barclays.co.uk wasn't renewed when it should have been (which is a different certificate for the ibank.barclays.co.uk, which was renewed July 4th).
posted by justkevin at 6:19 AM on August 1, 2006
This looks like Barclays' problem, not Visa's. The certificate for verifiedbyvisa.barclays.co.uk wasn't renewed when it should have been (which is a different certificate for the ibank.barclays.co.uk, which was renewed July 4th).
posted by justkevin at 6:19 AM on August 1, 2006
a) yes, barclays mistake, not visa's
b) yes, still encrypted
c) the purpose of certificates is to prove to you that the other end is who they say they are, and such certificates are usually verified with a third party such as Verisign, Globalsign, etc. You can click in the options of your browser, snoop around and you'll find this info. So, when the certificate is expired, it means that Barclays hasn't renewed or installed their new cert. i would probably trust it if I'd used the site regularly before. if it was a new site i was going to do some financial transaction, i would not until I saw the problem solved.
in any case, it's certainly encrypted. the main questionm, at a technical level, is whether you trust this barclays site or not.
posted by poppo at 7:25 AM on August 1, 2006
b) yes, still encrypted
c) the purpose of certificates is to prove to you that the other end is who they say they are, and such certificates are usually verified with a third party such as Verisign, Globalsign, etc. You can click in the options of your browser, snoop around and you'll find this info. So, when the certificate is expired, it means that Barclays hasn't renewed or installed their new cert. i would probably trust it if I'd used the site regularly before. if it was a new site i was going to do some financial transaction, i would not until I saw the problem solved.
in any case, it's certainly encrypted. the main questionm, at a technical level, is whether you trust this barclays site or not.
posted by poppo at 7:25 AM on August 1, 2006
um, I'd be a little concerned (not much mind you)
ip for verifiedbyvisa.barclays.co.uk is 83.231.138.172 (not in their IP block)
that subdomian can be pretty much pointing anywhere if barclay's dns has been compromised(not likely) and there's a very good chance that this IS NOT neccesarily barclay's fault (most likely a 3rd party verification system)
so -- it' is SOMEONE's mistake (either visa or a 3rd party - contracted by them )
just because it's in the domain name doesn't mean it's hosted in the same server farm. yes it makes barclay's look bad- but chances are they have no control over the certificate installation.
posted by tj at 12:19 PM on August 1, 2006
ip for verifiedbyvisa.barclays.co.uk is 83.231.138.172 (not in their IP block)
that subdomian can be pretty much pointing anywhere if barclay's dns has been compromised(not likely) and there's a very good chance that this IS NOT neccesarily barclay's fault (most likely a 3rd party verification system)
so -- it' is SOMEONE's mistake (either visa or a 3rd party - contracted by them )
just because it's in the domain name doesn't mean it's hosted in the same server farm. yes it makes barclay's look bad- but chances are they have no control over the certificate installation.
posted by tj at 12:19 PM on August 1, 2006
« Older Is there a way I can work both these jobs without... | Favorite memorized literary quotations? Newer »
This thread is closed to new comments.
(and then being the curmudgeon I am I would complain and threaten to change credit card and see if I got anything nice as a result. I got twenty quid off Mastercard when they sent me a card with a valid from date that was 30 days after the valid till date.)
posted by edd at 1:37 AM on August 1, 2006