29
Many Brazilian government websites often do not have valid safety certificates. Examples:
https://www.ibama.gov.br/ (expired)
https://www.ibge.gov.br/ (auto-signed, invalid URL)
https://www.funai.gov.br/ (self-signed)
https://www.brasil.gov.br/ (CA unknown: ICP-Brazil)
https://www.senado.gov.br/ (Unknown CA: ICP-Brazil, Invalid URL)
In most cases the browser says that the "root certificate of the certification authority is unreliable", and others are still simply expired. This situation is unusual on commercial websites, but from time to time I also top with one of these. And of course, I myself have some difficulty maintaining the sites I always manage with valid certificates.
Is it necessary for a site to have a valid certificate for communication with it to be safe? Why? Some of these government sites have very important functions (e.g.: IRS, Ministry of Labor, Siape...), is it safe to continue using them despite the security alert presented? (some even reach instruct the user to ignore these alerts)
It has already been suggested (by my former hosting provider) to use certificates from cacert.org rather than a self-signed, as they "are not yet recognized by the main browsers, but many systems already accept" (ie, is still invalid!). Would that be acceptable practice? Can I just tell my users to sign up for the security alert and that’s that, just like these government websites do? What impacts an invalid certificate has on a website’s security?
I hope some comment response from ICP Brazil, which is the problem of most of the sites mentioned, and is a problem different from those already said here: Brazil has invented a certification authority that (yet?) is not believed by the vendors of browsers currently in use, and the person is required to install the root in the hand. The question of the root ICP Brazil is one of the fundamental points to answer part of the question.
– Bacco
@Bacco I gave the example of Cacert because fundamentally it is very similar to the ICP-Brazil: both are used by a large number of sites, both are not considered "reliable" by browsers, both you have to download and install the root certificate in hand, and in both such a certificate is served by an unsafe channel. The difference between them and, say, a private CA created by a company, is that it’s easy for the company to distribute the root certificate to its employees (on a flash drive, for example), but these others are intended for the general public.
– mgibsonbr
Relevant: "Installing a CA only for specific Omains" (see also my comment in Thomas Pornin’s reply) and "Certification Authority only for Certain Domains" (a little older, but if the information there is correct, bad news...)
– mgibsonbr
@mgibsonbr here is a good example of how one can ask almost the same thing in a much more objective way and above all much more interesting.
– Jorge B.