cert expired - worry or not?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Looking for some feedback from the folks here that I can give to senior
managment.
My employees use a web-based application that is hosted by one of our
partners. Staff enter confidential and sensitive information on this web
site. Yesterday the digital certificate expired and the site administrators
are not reacting very quickly to get it renewed. I, as "big I.T. security",
have blocked my employees from accessing the web site. But now the manager
of the program is painting me as the stronghanded big brother. Its stopping
productivity and business flow. I realize that even though the cert expired
SSL is still working and encrypting the data. My sense is the only thing
lost by not having a valid cert is the ability to know for sure what web site
we are talking to. So what do you all think? Did I do the proper thing by
blocking access or should I relax a little?
 
fpjr843 said:
Looking for some feedback from the folks here that I can give to senior
managment.
My employees use a web-based application that is hosted by one of our
partners. Staff enter confidential and sensitive information on this web
site. Yesterday the digital certificate expired and the site
administrators
are not reacting very quickly to get it renewed. I, as "big I.T.
security",
have blocked my employees from accessing the web site. But now the
manager
of the program is painting me as the stronghanded big brother. Its
stopping
productivity and business flow. I realize that even though the cert
expired
SSL is still working and encrypting the data. My sense is the only thing
lost by not having a valid cert is the ability to know for sure what web
site
we are talking to. So what do you all think? Did I do the proper thing
by
blocking access or should I relax a little?
You have stated that the information is "confidential and sensitive", which
is the reason you are using a secure connection. If the certificate is
expired the site administrator cannot authenticate the site and therefore
you are correct; simply stop sending data to the site until it is fixed. The
alternative is that your company could be audited and found to be in breach
of accepted security practices. Even worse, you could be sued by third
parties for negligence.
 
Back
Top