SSL/TLS Server Certificate Not Trusted | Vulnissimo
Jason McCarthy
Senior security researcher & penetration testing consultant
10+ years experience in the field
What is an untrusted SSL/TLS certificate?
SSL/TLS certificates are files that authenticate a website’s identity, allowing communication through HTTPS. The issue arises when web browsers do not trust these certificates because the server uses a self-signed certificate, a certificate from an untrusted authority, or a certificate that has expired or is invalid for other reasons. The lack of a trusted certificate makes it challenging for users to verify the authenticity of the server, undermining the security of the SSL/TLS connection.
Why is an untrusted SSL/TLS certificate a security risk?
The risk of an untrusted SSL/TLS certificate lies in the fact that an attacker could easily mount a man-in-the-middle attack. They can intercept SSL communication by presenting the user with a fake SSL certificate, thereby gaining access to sensitive information such as login credentials or private data.
How to configure a trusted SSL certificate
To address this issue, configure a trusted SSL/TLS certificate for the web server. Obtain the certificate from a reputable Certificate Authority and ensure proper installation. Consult specific guides for configuration:
How to detect an untrusted SSL/TLS certificate
An untrusted SSL/TLS certificate can be detected through several methods, such as browser warnings, command-line tools, and automated scanning tools.
This Python snippet connects to a server using SSL/TLS, retrieves its certificate, and checks its validity, including expiration status:
import ssl
import socket
from datetime import datetime
hostname = ''
port = 443
context = ssl.create_default_context()
with socket.create_connection((hostname, port)) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
cert = ssock.getpeercert()
print('Certificate Issuer:', cert.get('issuer'))
print('Valid From:', cert.get('notBefore'))
print('Valid To:', cert.get('notAfter'))
# Check expiration
expiration_date = datetime.strptime(cert.get('notAfter'), '%b %d %H:%M:%S %Y %Z')
if expiration_date < datetime.now():
print('Warning: Certificate has expired!')
else:
print('Certificate is valid.')
Note: This script is for educational purposes only. Always ensure you have permission before scanning or testing websites you don’t own or operate.