Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Google Networking

Google Let Root Certificate For Gmail Expire 104

Gr8Apes writes: The certificate for Google's intermediate certificate authority expired Saturday. The certificate was used to issue Gmail's certificate for SMTP, and the expiration at 11:55am EDT caused many e-mail clients to stop receiving Gmail messages. While the problem affected most Gmail users using PC and mobile mail clients, Web access to Gmail was unaffected. I guess Google Calendar failed to notify someone.
This discussion has been archived. No new comments can be posted.

Google Let Root Certificate For Gmail Expire

Comments Filter:
  • by avgjoe62 ( 558860 ) on Tuesday April 07, 2015 @04:42PM (#49424989)

    This seems so prophetic now:

    Obligatory XKCD Link [xkcd.com]

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Man I love 8.8.8.8

      • by X0563511 ( 793323 ) on Tuesday April 07, 2015 @06:36PM (#49425665) Homepage Journal

        Man, 8.8.4.4 never gets any love.

      • Man I love 8.8.8.8

        I do, too! We did run into a bit of a mess the other day, however, when a domain name somewhat important to us, that was thought to be on auto-renew, was expired. (I know, I know, big screwup) Our registrar then changed the name servers to their own. So we renewed it within a couple of hours, and we generally use our own caching servers, but some of our stuff out there is using google's DNS, and it seems they ignore the TTL for NS records, using their own TTL of, I think, 22600 seconds which equals more

        • 22600 seconds which equals more than 15.5 days

          Did I just say that? Sheesh, it's more like 6 hours! When doing the math I must have been remembering my boss not in a good mood that day. Still 6 hours was much longer than the few minutes we were expecting.

          Cheers!

    • Re:Obligatory XKCD (Score:5, Interesting)

      by snowgirl ( 978879 ) on Tuesday April 07, 2015 @06:17PM (#49425563) Journal

      You've likely heard of Memegen, the internal Google meme forum?

      Yeah, that comic is a template, and regularly gets rolled out for random things that we were told to focus on... like "self-driving cars" or "nest" or "ionosphere skydiving VPs"

      • I work on Public DNS, and we have that printed out and put up on our wall. Made our day when that came out :)

  • As it seems even tech giant google gets it wrong with its own certs. Lets hope that Let's Encrypt will make these problems of yesterday one day.

    • by jandrese ( 485 )
      I always find it amazing that these huge companies with enormous public domains don't have a person who's job description includes managing all of their certs and making sure they don't expire. You could even assign the job to two people just to make sure one of them doesn't get sick or something and miss one.
      • I always find it amazing that these huge companies with enormous public domains don't have a person who's job description includes managing all of their certs and making sure they don't expire.

        I bet they do. That's probably the problem--some human screwed up. I am surprised thee huge TECHNOLOGY companies with enormous public domains don't have an automated system to keep an eye on these things and auto-renew or alert a human or something. Heck; maybe they do and the alert failed, or alert to human went to spam, etc.

        • The alert was probably sent to a GMail account.

      • by houghi ( 78078 )

        Whever I was in charge, I always saw that there where three people responsible. Because we are in Europe, we would have people having holidays between 20 to 40 days a year, so 1 would be the backup of the first and the second one would be backup for when the second one would be sick when the first one was on a holiday.

        Obviously only group email adresses should be used to contact with external partners, so a followup would be possible.

        People have called me stoopid for doing it that way, but it has saved the

      • by gmack ( 197796 )

        That is the sort of Job description that's destined to fail and I would settle for some software that tracks domains, SSL certs etc and notifies (with an off switch when I want something to die) me when things need to be renewed. If you rely on the upstream provider, you end up renewing too much.

        Mind you, in this case, I would not be surprised if they had actually renewed the certificate but didn't catch that the intermediate cert would cause the already issued certs to expire early. As someone else post

        • by tlhIngan ( 30335 )

          That is the sort of Job description that's destined to fail and I would settle for some software that tracks domains, SSL certs etc and notifies (with an off switch when I want something to die) me when things need to be renewed. If you rely on the upstream provider, you end up renewing too much.

          Perhaps it's time that SSL libraries provided warnings should the date of expiry come close - say 6 months. Then the SSL library will return a warning along the lines of "The target's SSL certificate will expire in

          • by jafiwam ( 310805 )

            That is the sort of Job description that's destined to fail and I would settle for some software that tracks domains, SSL certs etc and notifies (with an off switch when I want something to die) me when things need to be renewed. If you rely on the upstream provider, you end up renewing too much.

            Perhaps it's time that SSL libraries provided warnings should the date of expiry come close - say 6 months. Then the SSL library will return a warning along the lines of "The target's SSL certificate will expire in less than 6 months (5 months 30 days 21 hours ...)". If users started getting messages about it they'd bring up a storm to get those certs renewed. And I think 6 months is probably plenty of time to account for someone in charge to notice and start a bureaucratic process to get it renewed.

            And if browsers displayed it, well, users will report their browsers are displaying some yellow gobbledegook about the website.

            Google is more interested in their browsers display some yellow gobbledygook about certificates not being on file at their preferred "Public Audit Records" authority. A new standard not meant to be implemented yet. Or, they'll just take the little lock symbol away in newer versions while everybody else follows the actual rules.

            Google is big enough to be stupid, and arrogant at the same time. Congrats, assholes.

      • I always find it amazing that these huge companies with enormous public domains don't have a person who's job description includes managing all of their certs and making sure they don't expire. You could even assign the job to two people just to make sure one of them doesn't get sick or something and miss one.

        Facebook screwed this up once too. For the better part of a day I could not go anywhere on the internet without getting tiresome sequences certificate errors every single time I loaded a page with complaints about an expired Facebook certificate. I would not just get errors on pages with those crappy Facebook 'Like' buttons and little commenting plugin or pages that offered logging in with Facebook but even on sites that were serving what looked like pure 1990 something vintage HTML 2.0 pages but under the

        • by Gr8Apes ( 679165 )
          I became the SOA for facebook.com, and a few others a long time ago. This is not a problem.
    • Re:Lets encrypt (Score:5, Interesting)

      by sycodon ( 149926 ) on Tuesday April 07, 2015 @05:16PM (#49425191)

      The internet has become one giant Rube Goldberg machine. Way too many parts and dependencies.

      No, I don't have an alternative, but that's not a requirement to point out that the web seems pretty fragile.

      • Email isn't the web, though. As somebody who connects to pop.gmail.com regularly, that point is very clear to me.

        • by sycodon ( 149926 )

          True...but isn't that kind of like saying a Fax isn't the phone network?

          • by steveg ( 55825 )

            It's more like saying a fax isn't an answering machine. Both use the phone network, but neither depend on the other.

    • As it seems even tech giant google gets it wrong with its own certs. Lets hope that Let's Encrypt will make these problems of yesterday one day.

      Well, the web mailer wasn't affected because the site uses different certificates, and neither were Google's other gmail clients, e.g. the Gmail app on Android, because those all use the Gmail API (again, with different certificates) rather than SMTP. So if you're paranoid enough, you may suspect malice rather than sloppiness. :-P

    • Everyone screws this up with certs. Part if this is because they are needlessly complex, and don't really solve the problem they were intended to solve. The entire CA system really needs to die. In a fire. Right now.
      • by Gr8Apes ( 679165 )
        Certs are fine, it's the CA management piece that's lacking, and how browsers deal with it. While cert management sucks with the OS/dev env tools, across the board, you can create a pretty straight forward interface for this process that's a whole lot easier than the provided crap.
  • by Lorens ( 597774 ) on Tuesday April 07, 2015 @04:47PM (#49425031) Journal

    because you should never sign a cert that has an expiration date later that that of the signing cert !

  • LOL ... (Score:5, Funny)

    by gstoddart ( 321705 ) on Tuesday April 07, 2015 @05:00PM (#49425095) Homepage

    I am GRoot.

  • by nuckfuts ( 690967 ) on Tuesday April 07, 2015 @05:03PM (#49425121)

    I usually figure out that a cert has expired when something breaks. For example, I like to use free certs from StartSSL [startssl.com] on Exchange Servers. When they expire, people get warnings when accessing OWA, or smartphones stop connecting.

    If it happens to be on an SBS Server it can really be a pain, however, since it will stop working as a Terminal Services Gateway, making it difficult to log back on and replace the cert.

  • The article summary doesn't pass the mother test. i.e. If you can't explain the topic to your mother, the summary is not plain enough, and not descriptive enough.

    * How does this a normal user?
    * What can they or not do now?
    * What do they have watch out for?

    • by wonkey_monkey ( 2592601 ) on Tuesday April 07, 2015 @05:40PM (#49425361) Homepage

      As much as I like to take issue when a summary truly is unenlightening and makes unreasonable expectations of readers, I don't think this is such a case. Slashdot isn't a general news site, and does have a specific target readership, the vast majority of which are going to know what a certificate is and what SMTP is.

      And anyway, whose mother? Some mothers would need the meaning of "ISP" spelled out for them over several sentences. Some mothers don't have even a vague grasp of what the internet is. Where do you draw the line?

      At least it wouldn't be over the head of this [xkcd.com] mom.

      * How does this [-] a normal user?
      * What can they [-] or not do now?
      * What do they have [-] watch out for?

      Blimey, if you want to talk about clarity...

    • The article summary doesn't pass the mother test.

      Dear Mom,

      Please send UnknownSoldier to computer science school.

      Explanation: he doesn't understand basic things about digital cryptographic trust systems used on the Internet.

      Thank you.

      :-)

  • I doubt it (Score:3, Insightful)

    by koan ( 80826 ) on Tuesday April 07, 2015 @05:16PM (#49425193)

    I just don't see Google slipping up by "forgetting" (how can you excuse that in this day and age?)
    I think something else happened.

  • You'd think a company the size of google would have a full time employee dedicated to renewing domain names, certificates and other digital subscriptions of great importance.
    • by GuB-42 ( 2483988 )

      They probably do, but maybe he was on holidays and he forgot to relay the notification to the person replacing him, at the same time the guy responsible for the SMTP service saw the problem but because it's the job of guy of the SSL service, he didn't do anything and...
      No company is immune to this kind of problem, and certainly not the big ones. I've seen extremely stupid things, such as a power outage because the company forgot to pay the utility bill despite several reminders.

  • by Anonymous Coward

    When we bought our $50k accounting system some years ago we went to Colorado for the training class.

    The license had expired on the in-house training system, not noticed til we sat down to train, and it took their tech an hour to get around it :) Ooops
    They did it right in front of me...so much for security.

    One would think you could manage to keep the system up to date when you are BOTH the vendor AND the customer....hehe

  • Just clients? (Score:5, Informative)

    by multi io ( 640409 ) <olaf.klischat@googlemail.com> on Tuesday April 07, 2015 @05:41PM (#49425375)

    The certificate was used to issue Gmail's certificate for SMTP, and the expiration at 11:55am EDT caused many e-mail clients to stop receiving Gmail messages

    If the certificate was "for SMTP", the problem would have affected not just end users, but also peers, i.e. other e-mail providers who wanted to deliver mail to @gmail.com addresses. Or at least they may have automatically fallen back to unencrypted SMTP delivery (which was pretty much the default before Snowden, but anyway).

  • title wrong (Score:5, Informative)

    by fugas ( 619989 ) on Tuesday April 07, 2015 @05:52PM (#49425451) Homepage
    "Google Internet Authority G2" is NOT a root certificate (subject != issuer).
  • The message I get is: "we don't like when you use a mail client to access gmail, we'd rather prefer the web interface, potentially monitoring your behavior down to the keypress and the time before you scroll past that pic, and not letting you store the content on your PC by default. So let's start by not caring about that cert expiration, let's see what the public reactions are."

    • by Gr8Apes ( 679165 )
      I installed Chrome specifically to deal with Google, and only Google. It's almost like a self-contained dedicated mail/calendaring program, although the interface sucks compared to my desired mail programs so I don't often use it. Seems to keep Google out of my real browser's history as a bonus.
  • Sorry, I know this is a really basic question, but a quick Google search didn't turn up any satisfying answers.

    The question is: why is it useful to have certificates expire after a particular amount of time? Isn't that similar to writing a program that contains a bug that will cause it to automatically stop working in (so many months/years)?

    The only reason I can think of is that if the certificate was compromised this would make sure that people eventually stopped using it; OTOH if the certificate is comp

    • by Anonymous Coward on Tuesday April 07, 2015 @09:28PM (#49426481)

      From IBM [ibm.com]:

      Question
      FAQ: Why do certificates have an expiration date? (SCI97674)
      Answer
      Digital certificates are breakable and are only considered to be secure for a limited period of time.? As of 2006, a? certificate based on? the standard? 1024 bit encryption string is only considered to be secure for 1-2 years and so certificates should expire and be replaced after no more than 2 years. Note

    • The question is: why is it useful to have certificates expire after a particular amount of time?

      For commercial certificate authorities, it is principally due to revenue generation as you have to pay them again each time you renew the certificate.

      You can (and I encourage you to) create your own certificates with you as the certificate authority. You can specify any amount of time before it expires. How much time you choose before the certificate expires depends on how strongly you feel the encryption method used will stand up to future attacks. One year is probably too short. 100 years is probably too

  • And it's not that of a big deal anyways since this mishap occurred conveniently on your last day @ the job.

  • Yup, my OSX Mail app informed me of that as well. It simply asked me if I wanted to continue. I assumed there was some kind of server problem accessing the certificates. After all, Google couldn't possibly be that incompetent as to let their certs expire. It used to be a common event back in the day, when Netscape 4 was current, that certs would expire all the time. But not now. Too busy snooping in on everyone else , I guess, to bother to check at home..

Life in the state of nature is solitary, poor, nasty, brutish, and short. - Thomas Hobbes, Leviathan

Working...