Union Fenosa website security

[Jay Kay]

Went to log in today and certificates have expired and accessing website not recommended. How concerned should I be? Since i dont get paper bill  Id still like to check it online.  Is there a risk to doing that? Thanks.

[Twin Wolf Technology Group]

The risk is minimal.   Digital encryption certificates serve two functions.   One is to encrypt the data flowing between you and the website.   This will continue to take place even after the certificate has expired.   The second function is to insure the website you are connecting to is actually who they represent themselves to be.   In other words, just because a website says they are Union Fenosa, you have no way of knowing if it is really them or someone impersonating them.   Before a digital certificate is issued or renewed, the certificate authority does some level of checking to insure it belongs to the business it represents.

The only real danger in an expired certificate is that it is possible that someone else is misrepresenting or impersonating that website.   If the certificate was recently expired, there is almost no risk at all.   If the certificate expired a year or more ago, I would be a little bit cautious.   

Since the encryption between your computer and the website continues to work on an expired certificate, you are not at risk but the overall process is somewhat undermined.

That is a long explanation for - it is OK to continue to use but I would be uneasy if the certificate expired more than a year ago.   Certificates are generally issued and renewed on an annual basis.

Edited January 3, 2016 by Twin Wolf Technology Group

[Jay Kay]

Thanks Twin Wolf, that helps a lot! Enjoy your day!

 

[Dottie Atwater]

2 hours ago, Twin Wolf Technology Group said:

That is a long explanation for - it is OK to continue to use but I would be uneasy if the certificate expired more than a year ago.   Certificates are generally issued and renewed on an annual basis.

How do you check to see when a certificate expired? Thanks.

[Twin Wolf Technology Group]

You can check the certificate information by clicking on the little padlock in the address bar.  After you click on the padlock a little window will popup with information about the certificate.   The padlock will appear colored in red, yellow or the HTTPS:// will be crossed out if the certificate is expired or has other issues.  Regardless of the status, you should see a padlock and be able to click on it for more information.  If you are unfamiliar with where the little padlock is located, one of my clients has a good set of examples for each web browser on their website here:  https://www.suttercreektheater.com/home/secure-website/

Often times there is additional information in the dialog box that pops up and you can click on it as well for more details.

The site for Union Fenosa shows the following:

Their certificate is not yet expired but will expire later this month.  The problem with their certificate is that it is registered to the domain name gasnaturalfenosa.es but the website domain name is gasnaturalfenosa.com.pa

So the domain names do not match exactly and the web browser says the site is not safe since the certificate has not been checked against the owner of both the .com.pa domain and the owner of the .es domain name.   You can see that it is possible in this case that someone could put up a look-alike website at a similar website address and then get unsuspecting clients to enter their user name and password information.

In this case, it is likely the IT staff registered both domain names to go to the same website but the certificate was only registered for one of the names.  Just sloppy IT work.

Edited January 3, 2016 by Twin Wolf Technology Group