Skip to main content
Information Security

Return to Answer

added 207 characters in body
Source Link
security_paranoid
security_paranoid
  • 4.8k
  • 3
  • 13
  • 43

Why Do SSL/TLS Certificates Expire?

  1. Replaces compromised certificates If an attacker has gotten access to the certificate, then they can keep using it to MITM or for DNS Hijacking. But when the certificate expires, and a new one is used, the attacker can no longer do these malicious things, because they don’t have the new certificate.
  2. Implementing new cryptographic updates If a new cryptographic update is needed, then the only way to do this is to get a new, updated certificate. And to do this, the first one needs to expire.

This is quite an important point, and I think it is important that

Why do SSL/TLS Certificates need CA validation?

The role of CAs for SSL/TLS is vital. According to the official SSL website above, a CA’s digital certificate provides:

“Integrity of documents signed with the certificate so that they cannot be altered by a third party in transit.”

This is one of the main reasons that Cas are needed so bad. CAs are an independent party, who won’t be biased so therefore won’t modify the certificate in transit.

It would not be in a CA’s best interests to tamper, because they would face legal penalties, and lose business.

Although, it’s important to note, that not all big CAs can be trusted, also depending on your country of residence.

Powerful governments have been known to use CAs of their jurisdiction for bad.

Why Do SSL/TLS Certificates Expire?

  1. Replaces compromised certificates If an attacker has gotten access to the certificate, then they can keep using it to MITM or for DNS Hijacking. But when the certificate expires, and a new one is used, the attacker can no longer do these malicious things, because they don’t have the new certificate.
  2. Implementing new cryptographic updates If a new cryptographic update is needed, then the only way to do this is to get a new, updated certificate. And to do this, the first one needs to expire.

This is quite an important point, and I think it is important that

Why do SSL/TLS Certificates need CA validation?

The role of CAs for SSL/TLS is vital. According to the official SSL website above, a CA’s digital certificate provides:

“Integrity of documents signed with the certificate so that they cannot be altered by a third party in transit.”

This is one of the main reasons that Cas are needed so bad. CAs are an independent party, who won’t be biased so therefore won’t modify the certificate in transit.

It would not be in a CA’s best interests to tamper, because they would face legal penalties, and lose business.

Why Do SSL/TLS Certificates Expire?

  1. Replaces compromised certificates If an attacker has gotten access to the certificate, then they can keep using it to MITM or for DNS Hijacking. But when the certificate expires, and a new one is used, the attacker can no longer do these malicious things, because they don’t have the new certificate.
  2. Implementing new cryptographic updates If a new cryptographic update is needed, then the only way to do this is to get a new, updated certificate. And to do this, the first one needs to expire.

This is quite an important point, and I think it is important that

Why do SSL/TLS Certificates need CA validation?

The role of CAs for SSL/TLS is vital. According to the official SSL website above, a CA’s digital certificate provides:

“Integrity of documents signed with the certificate so that they cannot be altered by a third party in transit.”

This is one of the main reasons that Cas are needed so bad. CAs are an independent party, who won’t be biased so therefore won’t modify the certificate in transit.

It would not be in a CA’s best interests to tamper, because they would face legal penalties, and lose business.

Although, it’s important to note, that not all big CAs can be trusted, also depending on your country of residence.

Powerful governments have been known to use CAs of their jurisdiction for bad.

Source Link
security_paranoid
security_paranoid
  • 4.8k
  • 3
  • 13
  • 43

Why Do SSL/TLS Certificates Expire?

  1. Replaces compromised certificates If an attacker has gotten access to the certificate, then they can keep using it to MITM or for DNS Hijacking. But when the certificate expires, and a new one is used, the attacker can no longer do these malicious things, because they don’t have the new certificate.
  2. Implementing new cryptographic updates If a new cryptographic update is needed, then the only way to do this is to get a new, updated certificate. And to do this, the first one needs to expire.

This is quite an important point, and I think it is important that

Why do SSL/TLS Certificates need CA validation?

The role of CAs for SSL/TLS is vital. According to the official SSL website above, a CA’s digital certificate provides:

“Integrity of documents signed with the certificate so that they cannot be altered by a third party in transit.”

This is one of the main reasons that Cas are needed so bad. CAs are an independent party, who won’t be biased so therefore won’t modify the certificate in transit.

It would not be in a CA’s best interests to tamper, because they would face legal penalties, and lose business.