Guild Wars 2

https://en.support.guildwars2.com/ (and a ton of other support pages, most of which are dead, except for help.ncsoft.com) expired 31.08.2013 23:59:59 GMT

You may want to renew certificates before the deadline hits, especially when it’s on a weekend

page still safe ? cuz i need to create a ticket …

Strictly speaking, no.

Being less strict, yes. The communication is still encrypted, but it’s showing you an expired ID and it’s up to you to trust it.

INSANE that it’s not fixed yet o.0

So without a valid certificate, we can’t be sure if it’s actually the ANet team we’re communicating with?

Am I too paranoid when I think “attackers” might take advantage of this lapse in certification to actually cook up some crazy scheme to scam people?

Dysdaimon.2158:

So without a valid certificate, we can’t be sure if it’s actually the ANet team we’re communicating with?

That’s how it’s supposed to be, yes. In practice it really depends on how you scale your confidence.

An expired certificate means the private key’s… privacy is no longer guaranteed. You’re to assume anyone digging through their trash could have found it.

Since I doubt they’d do something like that (this is where the trust and confidence comes in) chances that someone 1) got hold of their private key and 2) is able to pose to you as one of the domains listed in the certificate (e.g. support.guildwars2.com) are about as slim as they were yesterday.

So, in theory, going by protocol, the certificate must not be used any longer, and you should not trust it.

In practice it’s up to you to trust them. How confident are you that the key has not been compromised, keeping stuff like this in mind (this list is by no means complete):

• The certificate expired “just” yesterday.
• Would a company like that let their certificates expire and still use them?
• What are the chances they simply managed to forget to renew them?
• How big are the odds that someone could have.. “acquired” their private key and is posing as one of the sites by now?

As long as you don’t just go around and start trusting any site with an invalid certificate now I don’t see much of a scam coming out of this.

E: Actually, you’d assume that no competent web team would let the certificates for the support platform of a game this size expire and not renew them well before they’re due. Saying “it only expired a day ago!” was kind of incompetent on my end too, really.

The difference between being a day before expiry and a day after is minute, but the intention is to reduce the ability of a third-party to exploit stolen certificates.

Either way, having that sort of message pop up visiting a support site surely doesn’t inspire confidence