Since Monday, November 9th 2009, in the afternoon, all secure pages on the site from the log in page to the subscription system are causing browsers to report an expired security certificate error.
Impact:
Not much really. The certificate still works for encryption, so no data is ever compromised. All a user has to do is to make their browser accept the certificate temporarily (allow an exception) and all will be well.
What happened?
Why such a lapse in security? Well, this is interesting.
The current (expired) certificate was obtained from Entrust two years ago. It had a duration of two years. And as it turned out, Entrust has interesting new policies.
First: They only alerted me last Wednesday about the impending expiration of the certificate instead of their usual 30 days. So I didn’t remember to renew on time. It would have been fine if we simply renewed.
Second: Entrust’s new amazing policy of not accepting any purchases for less than $1000.
A single, standard URL certificate for 4 years is $538 with Entrust (it started at $299 per year in 2003). That’s what I usually get and the site doesn’t need any more than that. So if I were to keep dealing with Entrust, I would have to buy something else; something that I don’t need. I would have to invent a domain to get a certificate for it.
So, I decided to get a certificate from Verisign instead. They are much better priced anyway and they accept my insignificant business dealings of $356 for the same type of certificate for the same period of time.
However, certifying a site requires verification of the business entity behind the site and that takes 4 to 5 business days to finish and produce the certificate.
I started the process on Thursday, and hopefully we get the new certificate by tomorrow.
So for now, just accept the current expired certificate and everything would work as usual.
Sorry for any inconvenience.
Update 2009-11-11 2:00 pm: The issue has been resolved and a new security certificate has been installed and activated.
