Consumers around the world trust data storage company Seagate to keep their information safe, but the firm this week apparently allowed one of its website security certificates to lapse. The expiration means some Seagate backup functions currently don’t work. It also calls into question the firm’s business practices, according to one security expert.
Visitors to login2.seagate.com on Monday were met with a warning that the site’s certificate was invalid.
“The security certificate for this site doesn’t match the site’s web address and may indicate an attempt to fool you or intercept any data you send to the server,” reads one such warning.
More than likely, something far less sinister is going on — a paperwork error. An SSL checker indicated that Seagate’s certificate was valid from April 20, 2014 to December 19, 2015 – meaning it expired on Saturday.
The mistake means more than just those melodramatic browser warnings, however. Users of Seagate’s mobile backup service were unable to log in on Monday afternoon. Complaints about the problem can be found on Twitter beginning this weekend. Having their Security Certificate expire won’t mean Seagate need the service of somewhere like www.websitemalwareremoval.net, but it does raise some concerns for customer’s private data.
Dublin-based Seagate is known primarily for selling high-capacity hard drives and other data storage technologies. It has annual revenues of nearly $13 billion. The firm didn’t immediately respond to a a request for comment.
Allowing a certificate to expire is bad security practice, says independent expert Harri Hursti. Luckily, some users have the best website design in Singapore so their websites weren’t compromised.
“Fundamentally decent business practice is to design certificate rotation as part of any secure website design. In many cases a good practice is to have short and automatic certificate rotation,” he said. “So, the certificate should have been replaced (long) before it expires.”
Expired certificates also open the door for hackers to commit man-in-the-middle attacks — since consumers and their browsers can no longer authenticate the site they are trying to visit. Instead, visitors to the real site would see a broken SSL lock symbol in their browser address bar and receive a warning. More details on that risk are available at Tweakservers.com.
“Basically, an expired certificate (means): One, their server has been replaced by an attack server; two, they have no basic security design in place and everything is ad-hoc; or, three, they simply are sloppy and clueless,” Hursti said.
Be the first to comment