To protect their visitors’ data and sensitive information, websites are required to serve their web pages over HTTPS protocol. This protocol encrypts the communications between web servers and clients (browsers) against Man-in-the-middle Attacks.
The encryption of HTTPS connections is guaranteed by an SSL/TLS certificate. For security reasons, this certificate is usually valid for a specific period, after which the certificate expires and the website owner is required to renew it. Additionally, there are many other reasons that lead to a certificate get expired.
Is it safe to visit a website with an expired certificate?
It is mostly NOT safe to visit a website with an expired certificate. Although in most cases certificates get expired due to server misconfigurations or missed auto-renewals, some of them may indicate the website is under attack.
How Do Valid Certificates Secure Websites?
HTTPS connections rely on SSL/TLS certificates to encrypt the exchanged information between web servers and browsers. This encryption is crucial to verify the connection to the website is totally secure.
Valid SSL/TLS certificates protect websites and their visitors via three key aspects:
- Data privacy: the information is encrypted so attackers are unable to read them.
- Data integrity: the information can’t be altered while transmitted to the web server.
- Server identity: the connection is established with the actually requested website.
Accordingly, visiting a website with an expired certificate means you are sacrificing some or all of these security factors.
Reasons for Expired Certificates
There are many reasons why website certificates expire. Although some certificates get expired due to a server misconfiguration or an error in the automatic renewal, some of them indicate that, for example, the website servers are under attack.
Here are some most common reasons for expired certificates:
- The certificate reached its expiry date and was not properly renewed.
- The certificate is signed by a non-trusted certificate authority.
- The certificate is issued for a website different that the requested website.
There is a long discussion about the meaning and potential reasons behind expired certificates. Nevertheless, all browsers do show a message to warn their users about the risk of visiting the requested website regardless of the cause of this expiry issue.
When Is It Safe To Visit A Website With Expired Certificate?
As mentioned earlier, visiting a website with an unverified or untrusted certificate risks your data privacy and integrity, and may lead to your connection being handled by an attacker. This is somehow similar to visiting a plain HTTP website without the security extension.
Even if there is no need to submit sensitive information, it’s highly recommended to avoid visiting websites with expired HTTPS certificates. Such kinds of websites tend to be insecure and expose your online presence and personal information to serious threats.
The useful professional advice we can give here is to re-visit the website after some time, hoping the expired certificate issue is temporary and gets handled quickly by the technical team. If the problem persists after a while, this indicates a serious issue and the website should be totally avoided.