H3-2021-0025¶

Expired SSL/TLS Certificate

Description¶

The SSL/TLS certificate has expired or is close to expiring.

Impact¶

An expired certificate causes browser security warnings to appear when a user browses to the web site using the certificate. These warnings erode user trust in the web site and create alert fatigue. Attackers can take advantage of this by launching man-in-the-middle attacks using a fraudulent certificate and trick users into divulging confidential information. If the web site uses HTTP Strict Transport Security (HSTS) and has an expired certificate, users won't be able to browse to it at all.

References¶

• Let's Encrypt
• Public Key Certificate
• HTTP Strict Transport Security
• CWE-298: Improper Validation of Certificate Expiration