@Quinnypig I've been thinking about this a lot recently LOL. Since when do cert expirations regularly relate to a security problem or the site/vendor not being eligible to get new certs? Browsers seriously need to handle these openssl errors differently. It seems like openssl does have a bit of a "secure | there are errors" binary but it's not like the errors are opaque to the program...

@Quinnypig @aikensource Especially all the certificate typically proves is that the entity who held the cert’s private key at the time the cert was issued also had sufficient control over the domain or the thing connected to the IP it resolved to *on the day the cert was issued*. The weight that holds decreases over time - so an expired 1-month cert technically is more secure than an in-date 1-year cert.

@Quinnypig @aikensource I mean, allowing a live cert to expire, and by how much also signals something - but it’ll depend heavily on the type of entity (bank, government, key internet infrastructure mega corp, small business, Joe Bloggs) and the type of service we’re talking about. (Online banking, eGov service, eCommerce site, information-only website, …)

@Quinnypig @aikensource I could totally see a middle ground where browsers warn you about an expired cert without freaking out, but wipe/hide your cookies etc. if you continue, and yell at you if you try to enter a password or credit card number to the site.

@pmdj @Quinnypig yeah I think I agree on all counts. Chromium browsers already handle certain different errors a bit differently (basic ssl errors are easy to bypass, HSTS errors require advanced navigation) so they could probably design a way to handle diff circumstances of ssl errors a bit differently.
If I recall correctly, visiting an HTTP site is less intrusive and in-your-face than a 1 day expired cert from a major website lol.
Stuff like domains not matching.... That matters so much more.