Imagine a safety critical system with a firewall that checks the certificate. This is the scenario the sellers of firewalls are after to defend against 'terrorist' cyber attacks.

Now imagine that they forget to renew the certificate and bingo, they can no longer turn on the safety cooler on your nuclear reactor because the firewall rejects the commands to do it.

I think they should continue to do what they've always done and not connect critical control systems to public networks.... it's the best way to protect a system.

It strikes me that the business/security processes surrounding their website are, ahem, somewhat on the loose side of efficient. It's not exactly hard to predict when a cert expires, and there's no law against getting a new one early.

Having said that, HSBC engages in a few practices I would definitely warn customers about. It has started a "global logon" scheme where with one logon you get a consolidated view of all your accounts globally. It fails to mention that you can be compelled by UK tax authrities to give up your logon credentials, at which point you expose all your assets. Ditto if your details got hacked (all you need is a screen logged and that virtual keyboard is history, plus the session is prone to phishing/man-in-the-middle risks like virtually every other ebank setup).

I do not promote tax evasion (it's a dumb idea - move country instead), but there could be many reasons why a bit of segregation is an intelligent idea, but I notice a remarkable absence in the HSBC literature on the risks of this 'feature'.

Is this the price they agreed to pay for keeping Inland Revenue at bay? Customer entrapment?

I would not log on if the certificate warning appeared as it might be as phishing site. Therfore I would consider all functionality lost. I bet if it was the other way round and you gave your details to someone else as you ignored the warning the bank would blame you for any fraud.

I got an expired cert from Google's ad server last week sometime. Anyone else see that one?

I had one of calls when someone attempted to buy a TV with my card details. They didn't ask for any address/maiden name etc (and if they had I would have refused). The only sensitive question they asked was whether I had made any purchases today and if so where.

The real security problem with this is that the bank is giving out the message that if you get a security warning visiting them then its okay to ignore it because it really is them.

... and let us know what they say. Don't let them get away with ambiguous waffle. (You *are* journalists aren't you?)

"Should customers use the site even when there isn't a valid certificate?"

Jesus - who DOESN'T have their web browser configured to warn about invalid certitficates?

I must admit, I wouldn't have the first clue how to tell FF or IE to not warn, and I'm happy with that.

How many people used the site anyway, even with the invalid certificate?

Strikes me that people don't actually care about the identity on the certificate itself, just that the connection is secured with “military-grade encryption”: we'd all do well to dispense with CA-issued certificates and just work on the SSH model of “accept once, warn if signature changes” instead.

Still, I'm *sure* EV will change all of this. No, it will, really!

You can still see that it's a genuine certificate issued to the correct party, so the warning will tell you that the site is okay. It will also tell you that the problem is that the certificate has expired. If the certificate had been revoked then this would be a different story.

It would look suspicious that a major bank had let it's certificate expire, but you would easily be able to confirm that the site itself was genuine.

I don't know where the technical people were when they reviewed this article, but "... they could be logging into a website pretending to be something it was not, this was obviously not the case". Is not true.

A phising sire could easily have it's own certificate or no certificate at all and the user would probably not notice. Having a certificate that is expired would be stupid for a phishing site as it attracts too much attention.

We are all looking at this from a tech savvy, technical point of view.

Your average Manager or whatever wouldn't know what a certificate was or how to check it.

They simply see the warning and freak (most people don't read messages, if they did it would make my life a lot easier because I could get straight to fixing a problem rather than having to decipher the error their software has been producing when they just say I got an error message)

Domino's (pizza) - www.dominos.co.uk either definetly HAD or does have issues (although can't find the issue anymore)

so let's be fair, loads of sites fail to use their brains.

I must admit this is one of my pet peeves about SSL certs, the coms are still encrypted they don't suddenly become breakable.

It is a collusion of browser makers and certificate organizations, in fact it makes for security or usability a bit less at the point of renewal.

Still they are a large organisation and they could/should have this under control.

Really the browsers should make a discrete warning that the cert is out of date, not a great big warning dialog. That warning dialog should be used for compromised certs and those where the domain does not match, not for a few days out, those should be a little toolbar warning.

I'm a geek, but not in the web/security area and I sure would not know how to checkan expired certificate or how to fix it. Joe Sixpack has even less chance.

It is also not reasonable to expect everyone to learn all this mumbo-jumbo. The technology should just work. After n years we should expect that the technolgy can actually do the job without having to do a pre-log-in checklist and being licenced by Civil Internet to use a browser.

Look at cars. How many people know how the advance/retard timing works? How many people can check their carb settings? The correct answer is of course that the average person should not have to know how this works.

There is absolutely no reason why computer technology can't reach this level of simplicity.

"That's a month or so from the time HSBC clarify how and why their certificate-less site was "obviously not" a fake.)"

IE6 says

"The security certificate is from a trusted certifying authority

The security certificate has expired or is not yet valid

The security certificate has a valid name matching the name of the page you are trying to view.

Do you want to proceed?"

with green check marks against the first and 3rd point, and a yellow warning symbol on the 3rd.

Firefox 2 says

"<server name>" is a site that uses a security certificate to encrypt data during transmission, but its certificate expired on <date time>.

You should check to make sure that your computer's time is correct.

Would you like to continue anyway?"

Both browsers make it fairly clear to anyone who bothers reading the error message that the site is "obviously not a fake". The Firefox message even hints that you can generate the message your self for any site you want to, just by changing your own system clock to be a date outside the purely arbitrary "expiration" date for for the certificate.

"Such slip-ups are generally best considered as minor foibles."

An expired or "untrusted" cert might very well preclude use of a web site. A browser or OS SSL stack can easily be configured to not accept such certificates. A Microsoft IE7 browser configured to US NIST FDCC settings is one example; a OLPC system is another.

"...it's only fair to expect them to provide positive confirmation of their identity online..."

It is not positive confirmation of identity; it is simply one's SSL stack not complaining about the certificate signatory.

This is a lot more common than people think...

"Both browsers make it fairly clear to anyone who bothers reading the error message that the site is "obviously not a fake".

A fair point, if you are prepared to equate reading with understanding. There are just three problems.

Firstly, "security certificate", "trusted certifying authority" and "name" are jargon terms. Replace them with pitchfork, gardener and carrot. Now re-read the error messages and I think you'll find that it is no longer obvious that the expiry failure is less serious than the other two.

Secondly, whilst I have accepted certificates under these circumstances, my "advice to grandma" would always be "If there's a problem, don't accept it.". I *hope* that the vast majority of web users default to mis-trusting institutions who can't keep their paperwork in order. (I doubt it, but it is something to wish for.)

Thirdly, *I* wouldn't accept this certificate for online banking. If they can't even get this right, what else is wrong? This is my money we're talking about. I'll wait a couple of days. If they fix it, that's fine. If it is still broken several days later, I'm going to start looking for a new bank.