AnsweredAssumed Answered

Certificate expired and not expired - linkedin

Question asked by Jon Taz on Feb 7, 2018
Latest reply on Feb 8, 2018 by Bhushan Lokhande

Got an interesting case here of a site that has multiple certificates (one of which is expired) and still gets an A rating despite it not working with some default browsers, I was wondering if the rating ought to be reconsidered.

 

Site is uk.linked.com (or any other country.linkedin.com site).

SSL Server Test: uk.linkedin.com (Powered by Qualys SSL Labs) 

 

They have three certificates. 

RSA 2048 bits (SHA256withRSA) = Valid.

RSA 2048 bits (SHA256withRSA) No SNI = Valid.

EC 384 bits (SHA256withECDSA) = Expired.

 

As per the handshake simulation you do IE11 on Win7, 8.1 and winphone 8.1 all use the EC 384 certificate meaning that they receive an expired certificate.  Even better Linkedin use HSTS so you can't even continue.

 

In that scenario an A rating seems incorrect, surely the expired cert should have some impact on the rating?

 

Obviously this is a broken setup by Linkedin and nothing at all to do with you but thought it was an interesting scenario for you.

Outcomes