back to article Oops: LinkedIn country subdomains SSL cert just expired

LinkedIn's country subdomain SSL certificate has expired – apparently as of about noon GMT today. According to the sslscan certificate testing tool, us.linkedin.com and all its altnames were no longer valid at the time of publication. The certificate issuer is DigiCert SHA2 Secure Server CA. The certificate for the naked …

  1. disgustedoftunbridgewells Silver badge

    It is stupid that expired certificates are the same level of "NO DONT CARRY ON!!" as invalid certificates.

    Recently expired certificates are 99% trustworthy and the "NO STOP! OMG!" just trains users to ignore this stuff.

    Unless it's been revoked, browsers should show a small information message, not a shouty threatening "The end is nigh" warning..

    1. boltar Silver badge

      What is the point of expiry dates and signing anyway?

      Self signing makes certificate signing irrelevant and expiry dates add nothing to security. If someone has stolen your current cert they can probably steal your new one too. Its extra pointless security that should only be used in specific circumstances but because its used everywhere people become blase to it and mentally filter out any warnings.

      1. Anonymous Coward
        Anonymous Coward

        Re: What is the point of expiry dates and signing anyway?

        expiry dates add nothing to security

        Yes they fucking do.

      2. Anonymous Coward
        Anonymous Coward

        Re: What is the point of expiry dates and signing anyway?

        Bollocks! Self-signed certs won't help on someone else's machine because the issuer (you) won't be in their trusted root certificate authorities list. Expiry dates add plenty to security for the simple reason that somehow-compromised certificates have a self-limiting window of usefulness to the bad guys. And "stealing" an SSL cert is useless without the private key. You've got the certificate for The Register on your machine already if you've viewed it in your browser, but only the public key and not the private one.

        Other than that I agree with everything you've said. Ahem.

    2. Dan 55 Silver badge

      How long should a browser accept an expired certificate? A week? A month? A year?

      1. DougS Silver badge

        If it warns clearly (a click through warning not just a yellow padlock or something else 99% of people will never notice) then accepting for a week seems reasonable. That would give time for the domain owner to become aware and correct the issue. If they don't notice for six months they apparently never visit their own site, so that's on them.

        1. Dan 55 Silver badge

          So you'd be in the same position as now, only a week later.

          1. DougS Silver badge

            How would you be the same position? You'd get a warning but the site would work, and Linkedin would fix it before the week is up because they'd see the warning too.

            1. Dan 55 Silver badge

              So you'd get a warning that it's an expired certificate and click through.

              As opposed to now where you get a warning it's an expired certificate and click through.

      2. boltar Silver badge

        "How long should a browser accept an expired certificate? A week? A month? A year?"

        As long as the user requires it to. The user should be in control, not the browser developer.

      3. disgustedoftunbridgewells Silver badge

        I'd say a month, with a page saying "everything is fine, but this certificate has expired. let the admin know".

        But it's not as if cryptography moves so fast that a year would be ridiculous.

  2. Anonymous Coward
    Anonymous Coward

    Wouldn't have happened if Microsoft were Linux !!!

    Ducks and covers.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wouldn't have happened if Microsoft were Linux !!!

      Microsoft is a company, Linux is an O/S with many flavours.

      An operating system can't own a company any more than my thinking about green fields could own a cow.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wouldn't have happened if Microsoft were Linux !!!

        "Microsoft is a company, Linux is an O/S with many flavours."

        Linux is a kernel not an O/S.

        1. Anonymous Coward
          Anonymous Coward

          Re: Wouldn't have happened if Microsoft were Linux !!!

          The Linux open source operating system, or Linux OS, is a freely distributable, cross-platform operating system based on Unix that can be installed on PCs, laptops, netbooks, mobile and tablet devices, video game consoles, servers, supercomputers and more.

    2. Mark 110 Silver badge

      Re: Wouldn't have happened if Microsoft were Linux !!!

      And who is to say Linkedin doesn't run on Linux?

      1. handleoclast Silver badge

        Re: And who is to say Linkedin doesn't run on Linux?

        If you wanted to find out, you could use telnet to talk raw HTTP to the site and issue a HEAD request. If you're using Windows, this is painful to do (different types of painful depending on the version of Windows/telnet client) but on Linux or even MacOS it's a piece of piss. If you're a wimp you can always try netcraft.com/whats.

        1. Phil W

          Re: And who is to say Linkedin doesn't run on Linux?

          "If you're using Windows, this is painful to do"

          Except that Windows, being the most widely used desktop OS in the world, has a huge variety of third party applications available including decent Telnet clients. Putty is a few clicks and seconds of download away from anyone with an Internet connection, and does a fine job as a Telnet client.

          Don't turn a task like this into a Windows vs Linux/MacOS argument, just because they include a Telnet client in the OS by default. It's perfectly valid for Microsoft not to, given that only a small percentage of users would want one.

          If you want to have that kind of argument, I'll simply say that Emacs and vi are both terrible, and nano is the only decent Linux text editor.

          1. CrazyOldCatMan Silver badge

            Re: And who is to say Linkedin doesn't run on Linux?

            I'll simply say that Emacs and vi are both terrible, and nano is the only decent Linux text editor.

            Burn the heretic! The holy Vi should *never* be mentioned in the same sentance as the never-to-be-sufficiently-damned Emacs[1]. Nano is all right though.

            [1] It corrupts my soul to have even typed thaT evil name. I shall now repeat 500 :wq! commands until all is clean again.

          2. handleoclast Silver badge

            Re: And who is to say Linkedin doesn't run on Linux?

            Don't turn a task like this into a Windows vs Linux/MacOS argument, just because they include a Telnet client in the OS by default. It's perfectly valid for Microsoft not to, given that only a small percentage of users would want one.

            I was talking of the Microsoft-supplied telnet client, not a third-party one. You're right. For just about anything you want to do on Windows, don't rely on the shit that Microsoft supply. Wise words, indeed.

            There have been two versions of Microsoft telnet client I've encountered, one black text on white, the other white text on black. Both had two serious shortcomings when used to connect to web servers for a quick HEAD request. One shortcoming was common to both, the other shortcoming differed.

            As I recall, both handled the delete key incorrectly and sent a backspace rather than deleting the character from the send buffer (or maybe the output was unbuffered). Either way, you couldn't afford to make a typo because you couldn't correct it. Fail. Maybe using ctrl-H would have worked, I kept meaning to try but always forgot to because after the first fail I'd switch to a Linux machine if there were one around or find some other way (and swear to never use Windows for anything ever again, no matter how simple).

            One of them didn't local echo. Which made typos (that you can't correct) very likely. Supposedly you could enable it somehow but I never got it to work. I'm willing to put the blame on me for being unable to get it to work but firmly blame Microsoft for not defaulting to local echo when connecting to a non-telnet port in the first place, like every non-Microsoft telnet client I've ever used does.

            The other timed out before you could type the entire request (minimum of "HEAD resource," "HOST domain" and an extra carriage-return. Of course, you could type really fast, but rarely fast enough and then you had typos you could see but not correct.

            Both were a pile of steaming shit. Yeah, you can say not many people need telnet, and even fewer need telnet to do quick HEAD tests on web servers, but every other telnet client I've ever used got it right. It's not like Microsoft didn't have examples to emulate (and code to rip off).

            BTW, one of them (can't remember which, think it was white-on-black-no-local-echo) was included with Win 7, it was just well-hidden and you needed admin privs to make it unhide itself (as I recall, "super-installing" something that is already installed). Which may well also be the case with Win 10.

            Don't try to defend the indifensible.

      2. Anonymous Coward
        Anonymous Coward

        Re: Wouldn't have happened if Microsoft were Linux !!!

        Last time I looked, LinkedIn ran on Solaris.

  3. Yet Another Anonymous coward Silver badge

    Does this mean that linkedin could be hijacked into some spam slinging / identify theft/ scam operation?

    Or could the expired certificates simply be safely snapped up by crooks

    1. disgustedoftunbridgewells Silver badge

      It means nothing other than you'll get a warning if you visit the site.

      The certs are still as secure and valid as they were yesterday, they've just passed the best-before date and need to be renewed.

      1. CrazyOldCatMan Silver badge

        certs are still as secure and valid as they were yesterday

        Secure - yes (possibly - if an organisation isn't organised enough to have people or processes checking for certificate expiry, it makes you wonder what else they have failed to do..). Valid - no. Let me explain the concept of an expiry date again..

    2. Nate Amsden Silver badge

      the certs are public, anyone can get them from their browser. The keys are the valuable bit(and private) and I've yet to come across a key that expires with regards to SSL anyway (one exception might be the key's algorithm being old and no longer supported or something)

    3. cheekybuddha
      Coat

      >> Does this mean that linkedin could be hijacked into some spam slinging / identify theft/ scam operation? <<

      And how is this any different from linkedin even with a valid certificate?

    4. hplasm Silver badge
      Coat

      Too late...

      "Does this mean that linkedin could be hijacked into some spam slinging / identify theft/ scam operation?"

      they were bought out by someone a while ago...

  4. DocD

    Looks like it was renewed on 3rd November and they didn't install it until after the old one expired?

    1. CrazyOldCatMan Silver badge

      renewed on 3rd November and they didn't install it until after the old one expired

      Which is (somehow) even worse - they have gone to the trouble of renewing, but not the small bit of extra effort to install it..

  5. Anonymous Coward
    Anonymous Coward

    Do they allow people to list citizenships held now ?

    As they couldn't last year, which was a PITA when looking for visa-free people.

  6. Blane Bramble

    "If the certificate is invalid then we have no assurance that our communications are secure. We should think of HTTPS with an invalid certificate as the same as using HTTP, anyone could see or tamper with what we're doing online."

    Err, no. No it isn't.

    1. #define INFINITY -1 Bronze badge

      Err, yes... sometimes it is. Agreeing with Mr. Disgusted above that 'expired' and 'invalid' are (very) different. The latter means MITM is trivial - in the former case only with the domain owner's private key.

  7. Dan 55 Silver badge

    Microsoft and certificate renewal problems

    Is it that time again?

  8. tempemeaty
    Facepalm

    Hmmmmm....

    I wonder when the "domain" comes up for renewal...just thinking out-loud. ( ⚆ _ ⚆ )

    It's not like Microsoft ever forgets that too...right?

    ¯\_ಠ_ಠ_/¯

    1. DNTP Silver badge

      Re: MS forgets domain expiration

      -and some random guy with sharp eyes snaps it up, tenderly holds it like an abandoned baby in his strong yet gentle arms, then turns it back over to the authorities. Here's the a link you were looking for (edit: wow, apparently they did this more than once?).

      https://www.theregister.co.uk/2003/11/06/microsoft_forgets_to_renew_hotmail/

  9. handleoclast Silver badge

    This isn't rocket surgery

    Any time I've set up services/network monitoring in the past 17 years, I've always added a check for SSL certificate expiry. Just in case somebody misses the e-mails the certificate issuer sends.

    How do these clowns manage to let certificates expire???

  10. Anonymous Coward
    Anonymous Coward

    Losers

    Oh ffs.

    In this day and age?

    Never heard of letsencrypt.org?

  11. LaeMing

    they lost me long ago anyway

    I don't have any tolerance for data companies that have major leaks.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019