I know you're being downvoted for the tone, but I agree entirely. Security is not something to sacrifice to gain less angry users. I do agree, however, with the sentiment that the UX surrounding security leaves a lot to be desired. In most cases we train users to ignore or work around security problems - we don't give them tools to solve and embrace them.

Disagree with your disagree. I understand there’s a recession and security people have to justify their salaries.

The most secure system imaginable is for your users to shut their computers and go outside. If you can’t provide security without usability, your system is worthless.

The truth is that users want products that feel secure, rather than products that are secure.

This is a misguided and incorrect assessment except for your second point, IMO.

Here's the thing: Expired certificate warnings reduce security. Because they're excessively dramatic about a routine non-issue, people learn to ignore and bypass them. Now people won't head real certificate warnings.

Unfortunately, the browser security nerds don't understand human psychology, and are more scared of the fact an expired cert can't be revoked (a nearly pointless edge case) versus users ignoring all cert warnings entirely, which they do now. A classic example of engineers who don't understand their users.

We agree on this.

> Security is not something to sacrifice to gain less angry users.

Of course it is - it depends on Capital-C-Context.

Sure, for the bank, the site you are supplying your credit card details, your email, etc - security is non-negotiable.

For hackernews, for reddit, and for similar sites, then security is something to sacrifice, once again depending on context.

I've trusted this certificate for the last 2, maybe 3 years. It's unreasonable to assume that 5 minutes past midnight on the expiry date, the cert turned from "completely trustworthy" to "100% certainty that this is a phish, scam or similar".

We live in the real world. Things happen.

I literally just said that I agree the UX is poor. Did you read my comment?

> I literally just said that I agree the UX is poor. Did you read my comment?

But I agree with that comment. The one I disagreed with is:

> Security is not something to sacrifice to gain less angry users.

Maybe I should rephrase (I'm a notoriously poor communicator) ...

Sometimes (like in the cases I pointed out), the security messages and warnings must be sacrificed because the practical security either doesn't matter (like hackernews) or hasn't been compromised (like the 5m after midnight example).

Swallowing certificate expiration is not acceptable security, no. _Something_ needs to happen. What else is there than warning the user?

That being said, I've never liked how certificates are designed to begin with. They're overly complicated for very little gain IMO.

An expired certificate _is_ a soft error, and in most cases nobody gives a fuck. For example, if HN's certificate expired and my browser absolutely prohibited access to it on the basis of that, I'd switch browsers because there's literally nothing at stake if somebody is able to read my traffic to or from this unimportant site. There's even less at stake when it comes to the cryptographic security of some blog. I literally don't care if someone can read the blog entry as I download it from its publicly-accessible URL.

On the other hand, if my e-mail provider's certificate is expired, there's a little more at stake, and there are other services where the HTTPS security being broken can cost me money. Those I do care about.

> literally nothing at stake if somebody is able to read my traffic to or from this unimportant site.

> There's even less at stake when it comes to the cryptographic security of some blog.

This would only be the case if ISPs were not adversarial. In the US - for most people - They are, though.

I think what you are saying is that expiration is important. The reasoning "cryptography is razor sharp" is really hard to follow. Cryptography is precise, but what really would help people is understanding why expiration dates matter so much. Most people carry a driver's license, and have to renew it. We all know that nothing magically happened that day to change anything about the driver - so that expiration is bureaucratic. Why is the expiration date on a cert different?

The layers of bureaucracy is a barrier to adoption of better security practices, and is all of our problem because at some point, you are using someone's website or api that is insecure because someone had to get one more approval or get someone to click one more button and did not.

How about a

- Your doctor let their medical license lapse. They are legally not allowed to practice medicine until they renew it.

or a

- The hospital did not pass its mandatory inspection. We are not allowed to practice medicine here until we redo the inspection and pass it.

?

Renewing certificates isn't exactly rocket science. It's not an oopsie-whoopsie, it is a pretty massive ops failure and should be treated as such.

> Your doctor let their medical license lapse. They are legally not allowed to practice medicine until they renew it

medical licenses don't arbitrarily expire every 3 months.

But anyway it's funny that medical licenses expire in some place.

Once a doctor, you're always a doctor, unless you do something wrong with your license and it gets revoked.

An expired license doesn't make your skills useless or you less capable.

If I had a stroke on the streets I would certainly trust a doctor to help me, even if the his license is expired (again, who let medical licenses expire? not even in USSR medical profession was so bureaucratic!)

Who gave the issuer of the certificates and the browser's vendors the right to decide if I can or can't _visit a website_ that has an expired cert?

and what's the matter?

we accept E2E encryption on chats that use TOFU, but we should "fuck off" web sites with an expired cert that hasn't changed, it's not been revoked, is exactly the same as before, providing the same level of security of before?

I don't understand this fixation, unless a lot of people make a lot of money out of this madness.

I mean , we all know that rotating passwords don't improve security, but suddenly making cert expire does?

silly.

> Renewing certificates isn't exactly rocket science

people make mistakes, problems arise, if I need that website now and it's not available because CHROME or FIREFOX or SAFARI chose so, it's a problem for me.

I'm not a baby, I'm an adult.

I can't count how many times that particular piece of information I was looking for was hosted on an old website that's only accessible via HTTP (another thing security zealots don't want you to use) or had an expired certificate.

Let me take my risks and give me a way to disable your bike wheels, I'm not Google's son.

And seriously, the entire f*king HTTPS business cannot rely on a non profit USA org, sponsored by all the usual suspects.

That analogy is a bit off because the certificate problem is on the supplier's side, not the customer's. A more apt analogy would be "no you can't see the doctor today, because their passport expired yesterday".

"The doctor is two minutes late, therefore all appointments today have been cancelled."

"The doctor's malpractice insurance expired yesterday, therefore the doctor cannot risk seeing you today even for this very routine appointment."

> The doctor's malpractice insurance expired yesterday

certs are not malpractice insurances though, they simply say that who you say are is who you say you are, which doesn't change when the cert expires.

Ids expire only to remind people to update their personal data and the picture on them.

And to remind the State to do a bit of background check once in a while, but even passports last 10 years.

I have a couple embedded devices with TLS1.0, JRE 1.5 applets and no modern ciphers.

I really want you to show me how this is "not rocket science". Till then kindly "fuck off".