Safari is obviously not following current security practises if it
actually allows you to get content from that site (not just a warning
about the expired certificate).
The code on the site enforces HSTS - which stands for "HTTP Strict
Transport Security" - if the HTPS browser transaction fails for any
reason, the browser is supposed to refuse to connect. If it's allowing
conenction to the actual site (not just giving a warning), then it's
breaking protocol.
And yeah, an expired certificate can be evidence of many things - a
MiTM (Man in The Middle) compromise being one of them. Allowing this
override could allow a site hack to direct you to a site which mimics
the original - but which delivers a malicious payload instead. That's
part of the reason HTTPS everywhere was brought into being.
DaZZa
On Wed, 20 Sept 2023 at 20:17, DeliaDee via groups.io
<terrapin19148@...> wrote:
I use Safari which will connect if I force it to (it argues with me but I am adamant). The only problem - that I can see - is that the certificate is expired. I'm pretty ignorant about these things. Is it really that much of a risk if its a website that has been visited many many many times before the certificate expired?
--
惫别驳·别·迟补谤·颈·补苍:
Ancient tribal slang for the village idiot who can't hunt, fish or ride
