Instagram's SSL certificate expired at midday GMT on Thursday 30th April 2015 and was not replaced for more than an hour, leaving visitors unable to access the site without seeing browser warnings.
The expired DigiCert-issued certificate that was being served from https://instagram.com/ has now been replaced with a different certificate, valid until 15th October 2015.
Users who ignore the warnings from their browser could be at risk of man-in-the-middle attacks, where a correctly-positioned attacker can surreptitiously steal usernames, passwords and session cookies without the victim's knowledge.
Although the HTTP version of the site redirects to HTTPS, instagram.com does not currently make use of HTTP Strict Transport Security — an HTTP header that permits a site to specify that future visits must be over HTTPS. As a result, customers can bypass the warning message, placing them at risk of man-in-the-middle attacks.
If HSTS had been in use, visitors would correctly not be able to bypass the error message, protecting them from man-in-the-middle attacks, but leaving them without the ability to connect to instagram.com. As HSTS does not protect the user on their first visit, website owners can request to have their HSTS rules embedded into the browser via Chrome's preload list.
instagram.com is the 310th most popular website amongst users of the Netcraft Toolbar. The Instagram app does not appear to be affected, as it makes use of a different server at i.instagram.com, which uses a valid certificate.
Posted by Paul Mutton in Security
Your link here? Advertising on the Netcraft Blog