another reminder of false security of certificates, because no one pays attention to them. Here's a security blog, so I will speculate that many of its readers are security conscious users, yet most probably went to the site anyway despite the security warning of an expired certificate.
What's the threat model for this? Is the MITM going to subtly change Schneier's essay? Perhaps they're going to find out the lame password I use for stupid comment forms, which password (literally: it's a word) I've been using continuously for that purpose since 1994?
I would not think that is much of a threat here in this scenario. The threat is really that Schneier is no longer who he said he is, since it has not been validated recently. That is, his certificate, purchased and verified through an authority, has reached the age where that authority no longer guarantees that he is the one holding it. As such, someone else could have taken over his person and began acting maliciously.
Right?
Edit: So, my question "Right?" was a legitimate question. If I am wrong, I'd like to know how. Note that this is an expired, non revoked certificate scenario we are talking about. Meaning the identity was established before, and to nobody's knowledge has it been stolen. Simply now that identity has not been established for a long time.
You have a point, I do think that a majority of the internet populace would not raise a flag about this, but....also please notice that the URL linked on this page is simply HTTP.
So, either you (and the others in this comment thread) manually changed the URL, or you have some browser extension that automatically switches to HTTPS, etc. I'm sure more of us would've caught the issue if indeed more of us were exposed to the issue in the first place.
Well an ssl cert that just expired is still encrypting data in flight. Most everyone that has dealt with security knows that people sometimes miss renewing the certs. Expired cert doesn't mean the site is now malicious.
