Over a month later and Comcast still doesn't know how to SSL

The SSL certificate expired Tuesday, May 8, 2012.<p>Pro tip: Set up monitoring alerts on your SSL certs to alert your sys admin when they are getting close.<p>For example, here's a Nagios SSL expiration alert: <a href="http://exchange.nagios.org/directory/Plugins/Network-Protocols/HTTP/check_ssl_certificate/details" rel="nofollow">http://exchange.nagios.org/directory/Plugins/Network-Protoco...</a>

It;s been more than a month, perhaps not this particular one, but I have reported to them on twitter multiple times that their SSL certs are dead. Their IP to geolocation is also way off, something they don't seem to care about.<p>I think the worst was I contacted them on twitter about several hosts that were hammering one of our mail servers, around a million lookups for usernames a day for each domain.<p>I blocked the IP's, problem solved, but wanted them to nuke the accounts. They said to send in the relevant data. I nicely formatted all the data, snipped sections here and there, and tar'd the files.<p>Emailed them in and was told they don't know what a tar file is. Sent them in gzip, they can't open them. Finally said screen it and posted the data to pastebin in plain text and sent them the raw link. They didn't know what to do with it.<p>At some point, I just gave up.

To be fair to Comcast you're running into a few things. In a non-technical kind of way and in no order...<p>Comcast.com is (stop laughing) a high value domain. You're not likely to get any CA to just hand over a certificate in 2 seconds. It will get flagged for manual inspection and further details will be required.<p>Large companies like this aren't as simple to handle. If it were a small startup with 3 people you want to bet your pants it would be fixed right away. But I bet you there are e-mails flying around into underpaid mailboxes waiting for a response. Not every corporate office is a well-oiled machine.<p>But on the flip side it is unfortunate they're struggling with it. The poor front line customer service rep (Carole) has no choice but to assure you they're currently working on it and move on to the next squeaky wheel. Like any person in customer service, her job is to assure you and move on.

It's pretty funny that an ISP can't get their certs together, but geez, temporarily accept the cert, read the service agreement and get on with your life. Are you seriously worried about a man-in-the-middle attack here?<p>Trying to impress first tier forum support with your long history with computers isn't helpful to anyone, and sounding off about a serious legal issue in bold and italics is probably just making the lawyers giggle. It's nice to report the problem and follow up on it. There's no reason to be a dick about it.

I know the warnings are in place for a reason, but why don't the affected people just bypass the warning. There is no reason to think that just because the date changed that Comcast's certificate is now compromised. If the certificate was issued with an expiry date of five years or more, I'd understand <i>not</i> taking the chance; especially considering how long Comcast is taking to review their certificate - if their certificate did become compromised their customers would likely never find out.

Corporate bureaucracy often results in bad, strange, or just plain weird circumstances. Film at 11.

A little OT, but using HTTPS Everywhere has shown me how badly SSL is configured on many sites. Default certs for root domain being used on subdomains, scripts and styles loaded over HTTP (and hence blocked by Chrome - by far the most common and most annoying), HTTPS port listened on but no site served, default certs for completely unrelated sites showing up, etc.

Looks like their cert for <a href="https://www.comcast.com/" rel="nofollow">https://www.comcast.com/</a> is fine, so this problem is only with the 'contracts' subdomain. I'm guessing that's a low traffic/priority section for them.<p>They should buy a wildcard cert for *.comcast.com and be done with it.

The "I was using the internet before there was an internet" argument is not helpful to anyone in this situation. The first tier support has no way of verifying the claim and even if they did, they still might not be able to escalate the issue before asking the documented questions. The questions in this case seemed quite sensible, I've been caught out with SSL certs expiring before realising my time wasn't syncing. It's not helpful to the OP because it comes across as arrogant and they're not going to endear themselves to the support agent.<p>Best for everyone is to remain polite, responsive to the agent's requests (however seemingingly inane) and the process will move a lot quicker.

In my personal experience, @ComcastBill, a fellow named Bill Gerth in Ohio(?), has been a responsive and helpful face inside Comcast. On two occasions short, specific queries his way resulted in receiving direct, actionable contact from inside Comcast.<p>I sent him a tweet about this specific issue, and hopefully he can make this little embarrassment disappear: <a href="https://twitter.com/Roadstead/status/262544429490003968" rel="nofollow">https://twitter.com/Roadstead/status/262544429490003968</a>

Why do companies buy certs one year at a time?<p>You can make certs for ten, even twenty years.<p>This all goes back to the SSL cartel wanting control.<p>Just make a cert good until January 19, 2038 and get it over with.

It actually expired almost 6 months ago, on May 8.

That happens with my lame credit union all the time.

A month after what? September 27th is what?

I love when shit like this happens. Edit: love when it happens to other people.