Does expired mean it is not working anymore?
When an SSL certificate is signed, it gets an expiry date. It doesn't matter if it is "self-signed" - meaning that a not trusted server signed it (for instance the webserver itself) - or if a public CA (Certificate Authority) vouches for the authenticity of the keys, the certificate is valid for a predefined period of time. Does it mean that when that date is passed and the certificate is not renewed, the website (or other service the certificate was protecting) stops working? Or more precisely, does encryption stops to work? The answer is simple: no. Encryption still works, the certificate itself does not lose any of it's functionality because it is expired. But does the service (web server, etc) stop working when an expired certificate is used? It solely depends on the program that is using the certificate. It might decide to stop working, but again, not because the certificate itself is not functional.
But why different lifespans?
SSL certificates can have different lifespans, as little as a few days, or as long as many years. Simply put, a certificate can be cracked, it is just the matter of time. Attackers can guess or brute force the private key - which is a very long, 309 digits prime number, that can take decades or longer to figure out, but eventually it will be cracked. That's why certificates are changed every so often. If an attacker figures out the private key, they can decrypt the communication in between the server and any clients. Now how do I decide what validity period I need? It depends on security needs and your wallet. Public CAs offer certificates that are valid for 1, 2 and 3 years. The longer their lifespan is, the more expensive they are. It is very unlikely that a private key is cracked within any of these time periods. A 3-year SSL is more expensive simply because the CA charges you for the convenience of not be bothered with SSL expiry dates for a longer time. Also, it is cheaper to pay a little higher price once, than to pay for SSL renewals every year.
Is a 3-year SSL more secure than one which is valid for only 1 year?
No. They all use that same key lengths (256bit usually) and algorithms (RSA or more likely elliptic-curve DH)
So, Safe or Not?
Yes and no. Yes, because an expired certificate provides just as a strong encryption than before expiry. At this point let's talk about the reason why SSL certificates are signed. An SSL certificate does not only provide encryption, but it proves that you are visiting the authentic website, as the public CA only signs a certificate if the owner is verified. This way you can make sure your data that you share with the visited server (credit card details during payments or other personal information) is in safe hands. The reason why using a publicly verified SSL certificate is important is that any website can be spoofed. Your network traffic can be redirected to a rogue web server that acts as the original, but is owned by malicious parties. This is where a valid SSL protects you. The rogue website will not have the private key of the original certificate, as that is solely owned by the original webserver. So, they only can use a "forged" one instead that will trigger a security warning in your web browser. However, if that warning only appears because of the certificate is expired, not because it is from an untrusted CA, you might safely use the website, despite of the warning.
Comments