Google Let Root Certificate For Gmail Expire

Gr8Apes writes: The certificate for Google's intermediate certificate authority expired Saturday. The certificate was used to issue Gmail's certificate for SMTP, and the expiration at 11:55am EDT caused many e-mail clients to stop receiving Gmail messages. While the problem affected most Gmail users using PC and mobile mail clients, Web access to Gmail was unaffected. I guess Google Calendar failed to notify someone.

Obligatory XKCD

[avgjoe62]

This seems so prophetic now:

Obligatory XKCD Link [xkcd.com]

Re:

[Anonymous Coward]

Man I love 8.8.8.8

Re:Obligatory XKCD

[X0563511]

Man, 8.8.4.4 never gets any love.

Re:

[houstonbofh]

Shhh! That is why it is lag free... Don't lag my DNS, bud...

Re:

[Anonymous Coward]

You know, you could have relatively no lag with a giant monolithic hosts file. Ask APK for details.

Re:

[Maritz]

Too bad you can't use a word document, then he could format the hosts file as creatively as his long, meandering, manic and paranoid postings.

Re: Obligatory XKCD

[cthulhu11]

Alex P. Keaton?

Re:Obligatory XKCD

[Ralph Siegler]

That 8 stuff is for young-un's, we old timers love our 4.2.2.2 Originally BBN Planet 's DNS server in 1994, now owned by Level 3

Re:

[SgtAaron]

Man I love 8.8.8.8

I do, too! We did run into a bit of a mess the other day, however, when a domain name somewhat important to us, that was thought to be on auto-renew, was expired. (I know, I know, big screwup) Our registrar then changed the name servers to their own. So we renewed it within a couple of hours, and we generally use our own caching servers, but some of our stuff out there is using google's DNS, and it seems they ignore the TTL for NS records, using their own TTL of, I think, 22600 seconds which equals more

Re:

[SgtAaron]

22600 seconds which equals more than 15.5 days

Did I just say that? Sheesh, it's more like 6 hours! When doing the math I must have been remembering my boss not in a good mood that day. Still 6 hours was much longer than the few minutes we were expecting.

Cheers!

Re:

[Paradise Pete]

Thank goodness. I was trying to figure out what planet you might be on.

Re:Obligatory XKCD

[snowgirl]

You've likely heard of Memegen, the internal Google meme forum?

Yeah, that comic is a template, and regularly gets rolled out for random things that we were told to focus on... like "self-driving cars" or "nest" or "ionosphere skydiving VPs"

Re:

[slimjim8094]

I work on Public DNS, and we have that printed out and put up on our wall. Made our day when that came out :)

Lets encrypt

[NotInHere]

As it seems even tech giant google gets it wrong with its own certs. Lets hope that Let's Encrypt will make these problems of yesterday one day.

Re:

[jandrese]

I always find it amazing that these huge companies with enormous public domains don't have a person who's job description includes managing all of their certs and making sure they don't expire. You could even assign the job to two people just to make sure one of them doesn't get sick or something and miss one.

Re:

[wile_e_wonka]

I always find it amazing that these huge companies with enormous public domains don't have a person who's job description includes managing all of their certs and making sure they don't expire.

I bet they do. That's probably the problem--some human screwed up. I am surprised thee huge TECHNOLOGY companies with enormous public domains don't have an automated system to keep an eye on these things and auto-renew or alert a human or something. Heck; maybe they do and the alert failed, or alert to human went to spam, etc.

Re:

[mrbester]

The alert was probably sent to a GMail account.

Re:

[I4ko]

All you need is the rekey procedure in RFC 4210. It is mind boggling to understand for most, dead simple to do in practice (though not when there is an expiration). But for expiration you don't rekey, you just resign the CSR.

Re:

[johnnys]

Resigning the CSR reuses the old keys. That's a security error: you're essentially reusing a password.

A new certificate should be generated using a new set of keys, and the old CSR should be discarded.

Re:

[sexconker]

Yup. Renewing is backwards. Reissue new every time.

Re:

[Gr8Apes]

Considering I have implemented an entire CA chain, yes, I am aware of the massive pain in the ass it is. Also, the real answer here is you never issue a cert with a CA that exceeds the lifetime of the CA's cert. When you get to that point, you issue a new CA cert, and issue new certs based on that new CA cert, and that applies all the way up the chain. That way, you never have this problem. So there's multiple failures here, it's not as simple as it appears on the surface, and makes the failure all the more

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gmack]

That is the sort of Job description that's destined to fail and I would settle for some software that tracks domains, SSL certs etc and notifies (with an off switch when I want something to die) me when things need to be renewed. If you rely on the upstream provider, you end up renewing too much.

Mind you, in this case, I would not be surprised if they had actually renewed the certificate but didn't catch that the intermediate cert would cause the already issued certs to expire early. As someone else post

Re:

[tlhIngan]

That is the sort of Job description that's destined to fail and I would settle for some software that tracks domains, SSL certs etc and notifies (with an off switch when I want something to die) me when things need to be renewed. If you rely on the upstream provider, you end up renewing too much.

Perhaps it's time that SSL libraries provided warnings should the date of expiry come close - say 6 months. Then the SSL library will return a warning along the lines of "The target's SSL certificate will expire in

Re:

[jafiwam]

That is the sort of Job description that's destined to fail and I would settle for some software that tracks domains, SSL certs etc and notifies (with an off switch when I want something to die) me when things need to be renewed. If you rely on the upstream provider, you end up renewing too much.

Perhaps it's time that SSL libraries provided warnings should the date of expiry come close - say 6 months. Then the SSL library will return a warning along the lines of "The target's SSL certificate will expire in less than 6 months (5 months 30 days 21 hours ...)". If users started getting messages about it they'd bring up a storm to get those certs renewed. And I think 6 months is probably plenty of time to account for someone in charge to notice and start a bureaucratic process to get it renewed.

And if browsers displayed it, well, users will report their browsers are displaying some yellow gobbledegook about the website.

Google is more interested in their browsers display some yellow gobbledygook about certificates not being on file at their preferred "Public Audit Records" authority. A new standard not meant to be implemented yet. Or, they'll just take the little lock symbol away in newer versions while everybody else follows the actual rules.

Google is big enough to be stupid, and arrogant at the same time. Congrats, assholes.

Re:

[Feral Nerd]

I always find it amazing that these huge companies with enormous public domains don't have a person who's job description includes managing all of their certs and making sure they don't expire. You could even assign the job to two people just to make sure one of them doesn't get sick or something and miss one.

Facebook screwed this up once too. For the better part of a day I could not go anywhere on the internet without getting tiresome sequences certificate errors every single time I loaded a page with complaints about an expired Facebook certificate. I would not just get errors on pages with those crappy Facebook 'Like' buttons and little commenting plugin or pages that offered logging in with Facebook but even on sites that were serving what looked like pure 1990 something vintage HTML 2.0 pages but under the

Re:

[Gr8Apes]

I became the SOA for facebook.com, and a few others a long time ago. This is not a problem.

Re:

[chihowa]

That person was recently fired

Let's at least hope that the manager responsible for having him sacked was also, in light of these events, sacked.

Re:

[Paradise Pete]

I left a Monty Python sketch laying around here somewhere. Have you seen it? It must be nearby.

Re:

[mrchaotica]

A llama ate it.

Re:Lets encrypt

[sycodon]

The internet has become one giant Rube Goldberg machine. Way too many parts and dependencies.

No, I don't have an alternative, but that's not a requirement to point out that the web seems pretty fragile.

Re:

[Bing Tsher E]

Email isn't the web, though. As somebody who connects to pop.gmail.com regularly, that point is very clear to me.

Re:

[sycodon]

True...but isn't that kind of like saying a Fax isn't the phone network?

Re:

[steveg]

It's more like saying a fax isn't an answering machine. Both use the phone network, but neither depend on the other.

Re:

[multi io]

As it seems even tech giant google gets it wrong with its own certs. Lets hope that Let's Encrypt will make these problems of yesterday one day.

Well, the web mailer wasn't affected because the site uses different certificates, and neither were Google's other gmail clients, e.g. the Gmail app on Android, because those all use the Gmail API (again, with different certificates) rather than SMTP. So if you're paranoid enough, you may suspect malice rather than sloppiness. :-P

Re:

[houstonbofh]

Everyone screws this up with certs. Part if this is because they are needlessly complex, and don't really solve the problem they were intended to solve. The entire CA system really needs to die. In a fire. Right now.

Re:

[Gr8Apes]

Certs are fine, it's the CA management piece that's lacking, and how browsers deal with it. While cert management sucks with the OS/dev env tools, across the board, you can create a pretty straight forward interface for this process that's a whole lot easier than the provided crap.

Shouldn't be possible

[Lorens]

because you should never sign a cert that has an expiration date later that that of the signing cert !

LOL ...

[gstoddart]

I am GRoot.

Re:

[jones_supa]

Obligatory relaxation video [youtube.com].

Not uncommon in my world :)

[nuckfuts]

I usually figure out that a cert has expired when something breaks. For example, I like to use free certs from StartSSL [startssl.com] on Exchange Servers. When they expire, people get warnings when accessing OWA, or smartphones stop connecting.

If it happens to be on an SBS Server it can really be a pain, however, since it will stop working as a Terminal Services Gateway, making it difficult to log back on and replace the cert.

Re:

[jader3rd]

From my experience dealing with Microsoft Exchange administrators, this comes as no surprise.

However, when people running high-performance, FOSS mailservers forget to get fresh certs before the old ones expire they are ridiculed and many even lose their jobs. There's a higher level of competence expected, I guess.

You're right, it totally sucks to have software that seems to be able to perform, without a crack team of competent professionals holding it together each day. All software should require massive amounts of 'competence' to manage it, instead of being able to just do what the user wanted it to do.

Re:

[nuckfuts]

That's a pretty high horse you're on there.

This has nothing to do with closed source vs. FOSS. The examples I was referring to are small, non-critical applications where nobody needs to get fired because a cert warning appeared in someone's browser.

And the layman's translation is what again?

[UnknownSoldier]

The article summary doesn't pass the mother test. i.e. If you can't explain the topic to your mother, the summary is not plain enough, and not descriptive enough.

* How does this a normal user?
* What can they or not do now?
* What do they have watch out for?

Re:And the layman's translation is what again?

[wonkey_monkey]

As much as I like to take issue when a summary truly is unenlightening and makes unreasonable expectations of readers, I don't think this is such a case. Slashdot isn't a general news site, and does have a specific target readership, the vast majority of which are going to know what a certificate is and what SMTP is.

And anyway, whose mother? Some mothers would need the meaning of "ISP" spelled out for them over several sentences. Some mothers don't have even a vague grasp of what the internet is. Where do you draw the line?

At least it wouldn't be over the head of this [xkcd.com] mom.

* How does this [-] a normal user?
* What can they [-] or not do now?
* What do they have [-] watch out for?

Blimey, if you want to talk about clarity...

Re:

[snowgirl]

Some mothers also could run circles around you talking about the internet...

Re:

[Bruce Perens]

The article summary doesn't pass the mother test.

Dear Mom,

Please send UnknownSoldier to computer science school.

Explanation: he doesn't understand basic things about digital cryptographic trust systems used on the Internet.

Thank you.

:-)

Re:

[tompaulco]

Who sets something up to expire on a weekend, anyway?

Re:

[houstonbofh]

All the slashdot users with gmail couldn't tell anyone.

I doubt it

[koan]

I just don't see Google slipping up by "forgetting" (how can you excuse that in this day and age?)
I think something else happened.

Re:I doubt it

[gstoddart]

Honestly, Microsoft has let the domain for Hotmail expire. In fact, they've done it more than once.

Never underestimate the human capacity to fuck something up.

Re:

[wonkey_monkey]

I think something else happened.

Can you think of a more likely explanation for the events?

Google has been degrading rapidly.

[Futurepower(R)]

wonkey_monkey, I'm guessing you are actually wonkey_human.

Yes, I think I have an explanation. Google has been degrading rapidly. More and more Google is out of control. To me, that is very sad. For years, Google was an amazingly excellent company.

The Google traffic map near Portland, Oregon shows traffic accidents in Seattle, 3 hours away. The design of the text in the upper left corner of Google maps is very poor.

There are many other issues of that nature.

Re:

[koan]

Yeah you have a point there, they do seem to be declining and is it just me or does youtube have the worst interface ever.

Re:

[bzipitidoo]

Hardly that. Many major sites have slipped. Only a few weeks ago, Mozilla let one of their certs expire.

Making passwords expire every 90 days was dumb. All those systems that couldn't handle Y2K were problems. But for certs to fail on a specific date is a design feature.

Staff?

[slazzy]

You'd think a company the size of google would have a full time employee dedicated to renewing domain names, certificates and other digital subscriptions of great importance.

Re:

[GuB-42]

They probably do, but maybe he was on holidays and he forgot to relay the notification to the person replacing him, at the same time the guy responsible for the SMTP service saw the problem but because it's the job of guy of the SSL service, he didn't do anything and...
No company is immune to this kind of problem, and certainly not the big ones. I've seen extremely stupid things, such as a power outage because the company forgot to pay the utility bill despite several reminders.

LOL

[Anonymous Coward]

When we bought our $50k accounting system some years ago we went to Colorado for the training class.

The license had expired on the in-house training system, not noticed til we sat down to train, and it took their tech an hour to get around it :) Ooops
They did it right in front of me...so much for security.

One would think you could manage to keep the system up to date when you are BOTH the vendor AND the customer....hehe

Just clients?

[multi io]

The certificate was used to issue Gmail's certificate for SMTP, and the expiration at 11:55am EDT caused many e-mail clients to stop receiving Gmail messages

If the certificate was "for SMTP", the problem would have affected not just end users, but also peers, i.e. other e-mail providers who wanted to deliver mail to @gmail.com addresses. Or at least they may have automatically fallen back to unencrypted SMTP delivery (which was pretty much the default before Snowden, but anyway).

title wrong

[fugas]

"Google Internet Authority G2" is NOT a root certificate (subject != issuer).

Re:

[Gr8Apes]

it was the root cert for gmail, it's not a root cert for a CA.

easy one

[marcello_dl]

The message I get is: "we don't like when you use a mail client to access gmail, we'd rather prefer the web interface, potentially monitoring your behavior down to the keypress and the time before you scroll past that pic, and not letting you store the content on your PC by default. So let's start by not caring about that cert expiration, let's see what the public reactions are."

Re:

[Gr8Apes]

I installed Chrome specifically to deal with Google, and only Google. It's almost like a self-contained dedicated mail/calendaring program, although the interface sucks compared to my desired mail programs so I don't often use it. Seems to keep Google out of my real browser's history as a bonus.

Re:

[Neil Boekend]

Only if your "real browser" runs NoScript or something similar.

Re:

[Gr8Apes]

Only if your "real browser" runs NoScript or something similar.

Precisely.

Why is it good that certificates expire?

[Jeremi]

Sorry, I know this is a really basic question, but a quick Google search didn't turn up any satisfying answers.

The question is: why is it useful to have certificates expire after a particular amount of time? Isn't that similar to writing a program that contains a bug that will cause it to automatically stop working in (so many months/years)?

The only reason I can think of is that if the certificate was compromised this would make sure that people eventually stopped using it; OTOH if the certificate is comp

Re:Why is it good that certificates expire?

[Anonymous Coward]

From IBM [ibm.com]:

Question
FAQ: Why do certificates have an expiration date? (SCI97674)
Answer
Digital certificates are breakable and are only considered to be secure for a limited period of time.? As of 2006, a? certificate based on? the standard? 1024 bit encryption string is only considered to be secure for 1-2 years and so certificates should expire and be replaced after no more than 2 years. Note

Re:

[dcollins117]

The question is: why is it useful to have certificates expire after a particular amount of time?

For commercial certificate authorities, it is principally due to revenue generation as you have to pay them again each time you renew the certificate.

You can (and I encourage you to) create your own certificates with you as the certificate authority. You can specify any amount of time before it expires. How much time you choose before the certificate expires depends on how strongly you feel the encryption method used will stand up to future attacks. One year is probably too short. 100 years is probably too

It's ok to forget these postmaster...

[Kekke]

And it's not that of a big deal anyways since this mishap occurred conveniently on your last day @ the job.

Aha!

[doccus]

Yup, my OSX Mail app informed me of that as well. It simply asked me if I wanted to continue. I assumed there was some kind of server problem accessing the certificates. After all, Google couldn't possibly be that incompetent as to let their certs expire. It used to be a common event back in the day, when Netscape 4 was current, that certs would expire all the time. But not now. Too busy snooping in on everyone else , I guess, to bother to check at home..

Re:Lol

[Anonymous Coward]

Yeah I only use Tinder for all my communication.

Re:

[bulled]

Lol, I write my patches 160 characters at a time, now to figure out why nothing has been merged...