The identity of the certificate might not be verified, but it still does the encryption if the user is prepared to t Make atrust exception. It would not be a good idea to pull off an expired cert without replacing it with a valid one as the reason for the cert is in most cases to force sensitive http data to travel over SSL. I would prefer no data than insecure transmission, developers and admins have overconfidence in SSL and get lazy, there would doubtless be many security holes that would be exposed while operating in plain text (no SSL) mode, which would make excellent spring boards for later attack. (Passwords sent in the URL, persistent session identifiers etc...) Matt Farey Sent from my BlackBerry® wireless device
|