

Never mind Heartbleed, Santander are using a cert that expired a year ago - pjc50
https://myonlineaccounts2.abbeynational.co.uk/

======
dingaling
My Online Accounts was deprecated last year. The current landing page is
[https://retail.santander.co.uk](https://retail.santander.co.uk)

Yes they should have taken MOA offline and removed the DNS entry

But anyhow an expired cert still works just as well as a 'current' cert. It
isn't stripped of its crypto-skillz just because an arbitrary date has passed.

 _Source: being an Abbey retail customer; we were informed of this change._

~~~
pjc50
My wife still gets redirected _to_ that page _from_ retail.santander.co.uk on
entering her customer number.

It doesn't automatically indicate insecurity, but it does indicate that there
is a system that isn't being actively maintained properly but is still up.

------
Joeboy
They're using an expired certificate on an expired website. No biggie.

------
abhilash0505
It is unfortunate that many "big" companies still use expired certificates.

------
valarauca1
So the issue is that their certificate expired? Not their using SSL3.0 instead
of any TLS implementation?

Qualys SSL lab fails them immediately because they can't even connect via TLS.
Opera says I'm connecting with, "RC4_128bit with an MD5 RSA signed key." I'm
actually surprised their public modulus is 2048 bits long.

------
Sarkie
An expired cert vs being able to "ping" a site to get part of the memory
without trace.

Yeah...

