Google Let Root Certificate For Gmail Expire

Gr8Apes writes: The certificate for Google's intermediate certificate authority expired Saturday. The certificate was used to issue Gmail's certificate for SMTP, and the expiration at 11:55am EDT caused many e-mail clients to stop receiving Gmail messages. While the problem affected most Gmail users using PC and mobile mail clients, Web access to Gmail was unaffected. I guess Google Calendar failed to notify someone.

Re:Lol

Yeah I only use Tinder for all my communication.

Obligatory XKCD

[avgjoe62]

This seems so prophetic now:

Obligatory XKCD Link

Re:Obligatory XKCD

Man I love 8.8.8.8

Re:Obligatory XKCD

[snowgirl]

You've likely heard of Memegen, the internal Google meme forum?

Yeah, that comic is a template, and regularly gets rolled out for random things that we were told to focus on... like "self-driving cars" or "nest" or "ionosphere skydiving VPs"

Re:Obligatory XKCD

[X0563511]

Man, 8.8.4.4 never gets any love.

Re:Obligatory XKCD

[houstonbofh]

Shhh! That is why it is lag free... Don't lag my DNS, bud...

Re:Obligatory XKCD

[slimjim8094]

I work on Public DNS, and we have that printed out and put up on our wall. Made our day when that came out :)

Re:Obligatory XKCD

You know, you could have relatively no lag with a giant monolithic hosts file. Ask APK for details.

Re:Obligatory XKCD

[SgtAaron]

Man I love 8.8.8.8

I do, too! We did run into a bit of a mess the other day, however, when a domain name somewhat important to us, that was thought to be on auto-renew, was expired. (I know, I know, big screwup) Our registrar then changed the name servers to their own. So we renewed it within a couple of hours, and we generally use our own caching servers, but some of our stuff out there is using google's DNS, and it seems they ignore the TTL for NS records, using their own TTL of, I think, 22600 seconds which equals more than 15.5 days. Ouch! The registrar sets a TTL on those of minutes.

I imagine it was a decision made to save resources. So, I think if google's DNS servers are being used widely, lesson learned from us if you ever need to change your domain's name servers.

Re:Obligatory XKCD

[SgtAaron]

22600 seconds which equals more than 15.5 days

Did I just say that? Sheesh, it's more like 6 hours! When doing the math I must have been remembering my boss not in a good mood that day. Still 6 hours was much longer than the few minutes we were expecting.

Cheers!

Re:Obligatory XKCD

[ralphsiegler]

That 8 stuff is for young-un's, we old timers love our 4.2.2.2 Originally BBN Planet 's DNS server in 1994, now owned by Level 3

Re:Obligatory XKCD

[Paradise+Pete]

Thank goodness. I was trying to figure out what planet you might be on.

Re:Obligatory XKCD

[Maritz]

Too bad you can't use a word document, then he could format the hosts file as creatively as his long, meandering, manic and paranoid postings.

Re:Obligatory XKCD

only young-uns use 4.2.2.2. Real old timers use 198.6.1.1

Re: Obligatory XKCD

[cthulhu11]

Alex P. Keaton?

Re:Lol

[bulled]

Lol, I write my patches 160 characters at a time, now to figure out why nothing has been merged...

Lets encrypt

[NotInHere]

As it seems even tech giant google gets it wrong with its own certs. Lets hope that Let's Encrypt will make these problems of yesterday one day.

Re:Lets encrypt

[jandrese]

I always find it amazing that these huge companies with enormous public domains don't have a person who's job description includes managing all of their certs and making sure they don't expire. You could even assign the job to two people just to make sure one of them doesn't get sick or something and miss one.

Re:Lets encrypt

[wile_e_wonka]

I always find it amazing that these huge companies with enormous public domains don't have a person who's job description includes managing all of their certs and making sure they don't expire.

I bet they do. That's probably the problem--some human screwed up. I am surprised thee huge TECHNOLOGY companies with enormous public domains don't have an automated system to keep an eye on these things and auto-renew or alert a human or something. Heck; maybe they do and the alert failed, or alert to human went to spam, etc.

Re:Lets encrypt

[houghi]

Whever I was in charge, I always saw that there where three people responsible. Because we are in Europe, we would have people having holidays between 20 to 40 days a year, so 1 would be the backup of the first and the second one would be backup for when the second one would be sick when the first one was on a holiday.

Obviously only group email adresses should be used to contact with external partners, so a followup would be possible.

People have called me stoopid for doing it that way, but it has saved the company more than once.

Re:Lets encrypt

[sycodon]

The internet has become one giant Rube Goldberg machine. Way too many parts and dependencies.

No, I don't have an alternative, but that's not a requirement to point out that the web seems pretty fragile.

Re:Lets encrypt

[Bing+Tsher+E]

Email isn't the web, though. As somebody who connects to pop.gmail.com regularly, that point is very clear to me.

Re:Lets encrypt

[mrbester]

The alert was probably sent to a GMail account.

Re:Lets encrypt

[gmack]

That is the sort of Job description that's destined to fail and I would settle for some software that tracks domains, SSL certs etc and notifies (with an off switch when I want something to die) me when things need to be renewed. If you rely on the upstream provider, you end up renewing too much.

Mind you, in this case, I would not be surprised if they had actually renewed the certificate but didn't catch that the intermediate cert would cause the already issued certs to expire early. As someone else posted: there is something wrong with their setup if they allowed certs to be issued with expiry dates after the intermediate cert.

Re:Lets encrypt

[sycodon]

True...but isn't that kind of like saying a Fax isn't the phone network?

Re:Lets encrypt

[multi+io]

As it seems even tech giant google gets it wrong with its own certs. Lets hope that Let's Encrypt will make these problems of yesterday one day.

Well, the web mailer wasn't affected because the site uses different certificates, and neither were Google's other gmail clients, e.g. the Gmail app on Android, because those all use the Gmail API (again, with different certificates) rather than SMTP. So if you're paranoid enough, you may suspect malice rather than sloppiness. :-P

Re:Lets encrypt

Have you ever rekeyed a certificate authority? Not nearly as straight forward as you think.

The problem is that you have a Certificate Chain and that Chain of trust has to all be updated. Every encryption device in their environment with that CA in its chain would need a new trusted root certificate. This is rest assured a pain in the butt, especially for an organization of any size that actually wants security.

You can automate end-point certificate renewals but when it comes to your CAs that is definitely a manual task and needs to be. Otherwise a security breach could result in a rekey and massive denial of service.

Re:Lets encrypt

They did, until they hired some MBA:s to calculate the beans. The MBA army did their math and found out that they could save some money simply by firing the IT-people responsible of certificates. The MBA:s propably even got some bonuses for saving money for the company in one quarter.

Re:Lets encrypt

[steveg]

It's more like saying a fax isn't an answering machine. Both use the phone network, but neither depend on the other.

Re:Lets encrypt

[tlhIngan]

That is the sort of Job description that's destined to fail and I would settle for some software that tracks domains, SSL certs etc and notifies (with an off switch when I want something to die) me when things need to be renewed. If you rely on the upstream provider, you end up renewing too much.

Perhaps it's time that SSL libraries provided warnings should the date of expiry come close - say 6 months. Then the SSL library will return a warning along the lines of "The target's SSL certificate will expire in less than 6 months (5 months 30 days 21 hours ...)". If users started getting messages about it they'd bring up a storm to get those certs renewed. And I think 6 months is probably plenty of time to account for someone in charge to notice and start a bureaucratic process to get it renewed.

And if browsers displayed it, well, users will report their browsers are displaying some yellow gobbledegook about the website.

Re:Lets encrypt

[I4ko]

All you need is the rekey procedure in RFC 4210. It is mind boggling to understand for most, dead simple to do in practice (though not when there is an expiration). But for expiration you don't rekey, you just resign the CSR.

Re:Lets encrypt

[johnnys]

Resigning the CSR reuses the old keys. That's a security error: you're essentially reusing a password.

A new certificate should be generated using a new set of keys, and the old CSR should be discarded.

Re:Lets encrypt

[Feral+Nerd]

I always find it amazing that these huge companies with enormous public domains don't have a person who's job description includes managing all of their certs and making sure they don't expire. You could even assign the job to two people just to make sure one of them doesn't get sick or something and miss one.

Facebook screwed this up once too. For the better part of a day I could not go anywhere on the internet without getting tiresome sequences certificate errors every single time I loaded a page with complaints about an expired Facebook certificate. I would not just get errors on pages with those crappy Facebook 'Like' buttons and little commenting plugin or pages that offered logging in with Facebook but even on sites that were serving what looked like pure 1990 something vintage HTML 2.0 pages but under the hood, buried in the page source code were Facebook tags that were presumably put there for tracking. Even though I knew at the time that Facebook, Google, Twitter et. al. monitor every move we make on line, this oversight on part of Facebook was an interesting experience for me because it showed me that Facebook's monitoring operation is much more pervasive than I had suspected.

Re:Lets encrypt

[houstonbofh]

Everyone screws this up with certs. Part if this is because they are needlessly complex, and don't really solve the problem they were intended to solve. The entire CA system really needs to die. In a fire. Right now.

Re:Lets encrypt

[sexconker]

Yup. Renewing is backwards. Reissue new every time.

Re: Lets encrypt

His first sentence still stands. I assume you use the internet to connect to your pop server which op commented on.

Re: Lets encrypt

That person was recently fired

Re: Lets encrypt

[chihowa]

That person was recently fired

Let's at least hope that the manager responsible for having him sacked was also, in light of these events, sacked.

Re:Lets encrypt

[Gr8Apes]

Considering I have implemented an entire CA chain, yes, I am aware of the massive pain in the ass it is. Also, the real answer here is you never issue a cert with a CA that exceeds the lifetime of the CA's cert. When you get to that point, you issue a new CA cert, and issue new certs based on that new CA cert, and that applies all the way up the chain. That way, you never have this problem. So there's multiple failures here, it's not as simple as it appears on the surface, and makes the failure all the more egregious on Google's part.

Re:Lets encrypt

[Gr8Apes]

I became the SOA for facebook.com, and a few others a long time ago. This is not a problem.

Re:Lets encrypt

Why? github.com did that. The GoDaddy intermediate certificate expired a few months ago. Obviously, that means this is standard good practice if they did it. It only means that Chrome and IE are locked out of github.com, but that's a feature not a bug.

Re: Lets encrypt

[Paradise+Pete]

I left a Monty Python sketch laying around here somewhere. Have you seen it? It must be nearby.

Re:Lets encrypt

[jafiwam]

That is the sort of Job description that's destined to fail and I would settle for some software that tracks domains, SSL certs etc and notifies (with an off switch when I want something to die) me when things need to be renewed. If you rely on the upstream provider, you end up renewing too much.

Perhaps it's time that SSL libraries provided warnings should the date of expiry come close - say 6 months. Then the SSL library will return a warning along the lines of "The target's SSL certificate will expire in less than 6 months (5 months 30 days 21 hours ...)". If users started getting messages about it they'd bring up a storm to get those certs renewed. And I think 6 months is probably plenty of time to account for someone in charge to notice and start a bureaucratic process to get it renewed.

And if browsers displayed it, well, users will report their browsers are displaying some yellow gobbledegook about the website.

Google is more interested in their browsers display some yellow gobbledygook about certificates not being on file at their preferred "Public Audit Records" authority. A new standard not meant to be implemented yet. Or, they'll just take the little lock symbol away in newer versions while everybody else follows the actual rules.

Google is big enough to be stupid, and arrogant at the same time. Congrats, assholes.

Re: Lets encrypt

[mrchaotica]

A llama ate it.

Re:Lets encrypt

[Gr8Apes]

Certs are fine, it's the CA management piece that's lacking, and how browsers deal with it. While cert management sucks with the OS/dev env tools, across the board, you can create a pretty straight forward interface for this process that's a whole lot easier than the provided crap.

Shouldn't be possible

[Lorens]

because you should never sign a cert that has an expiration date later that that of the signing cert !

Re:Shouldn't be possible

Right?!

Google lets Root Cert Expire.. hmm

[ZippyTheChicken]

and I just transferred one of my sites to Google domains hmmmm

LOL ...

[gstoddart]

I am GRoot.

Re:LOL ...

We... are... groot.

Re:LOL ...

[jones_supa]

Obligatory relaxation video.

Not the only problem

Their DNS has been shitting itself recently as well.

I noticed intermittent problems with it over the past few days, so disabled it.

Damn it Google, what're ya doin?!

Not uncommon in my world :)

[nuckfuts]

I usually figure out that a cert has expired when something breaks. For example, I like to use free certs from StartSSL on Exchange Servers. When they expire, people get warnings when accessing OWA, or smartphones stop connecting.

If it happens to be on an SBS Server it can really be a pain, however, since it will stop working as a Terminal Services Gateway, making it difficult to log back on and replace the cert.

Re:Not uncommon in my world :)

startssl notifies me two weeks prior to my cert expiring, but otherwise I have the same problem...

And the layman's translation is what again?

[UnknownSoldier]

The article summary doesn't pass the mother test. i.e. If you can't explain the topic to your mother, the summary is not plain enough, and not descriptive enough.

* How does this a normal user?
* What can they or not do now?
* What do they have watch out for?

Re:And the layman's translation is what again?

[wonkey_monkey]

As much as I like to take issue when a summary truly is unenlightening and makes unreasonable expectations of readers, I don't think this is such a case. Slashdot isn't a general news site, and does have a specific target readership, the vast majority of which are going to know what a certificate is and what SMTP is.

And anyway, whose mother? Some mothers would need the meaning of "ISP" spelled out for them over several sentences. Some mothers don't have even a vague grasp of what the internet is. Where do you draw the line?

At least it wouldn't be over the head of this mom.

* How does this [-] a normal user?
* What can they [-] or not do now?
* What do they have [-] watch out for?

Blimey, if you want to talk about clarity...

Re:And the layman's translation is what again?

[Bruce+Perens]

The article summary doesn't pass the mother test.

Dear Mom,

Please send UnknownSoldier to computer science school.

Explanation: he doesn't understand basic things about digital cryptographic trust systems used on the Internet.

Thank you.

:-)

Re:And the layman's translation is what again?

[snowgirl]

Some mothers also could run circles around you talking about the internet...

Re:And the layman's translation is what again?

Most CS programs don't teach it. You just get taught to be a Java monkey in most.

happened Saturday

On /. Tuesday. Must not be such a big deal otherwise it would have been posted sooner....probably was noticed when that one person who uses google+ tried to make a post.

Re:happened Saturday

[tompaulco]

Who sets something up to expire on a weekend, anyway?

Re:happened Saturday

[houstonbofh]

All the slashdot users with gmail couldn't tell anyone.

I doubt it

[koan]

I just don't see Google slipping up by "forgetting" (how can you excuse that in this day and age?)
I think something else happened.

Re:I doubt it

[gstoddart]

Honestly, Microsoft has let the domain for Hotmail expire. In fact, they've done it more than once.

Never underestimate the human capacity to fuck something up.

Re:I doubt it

[wonkey_monkey]

I think something else happened.

Can you think of a more likely explanation for the events?

Re:I doubt it

[bzipitidoo]

Hardly that. Many major sites have slipped. Only a few weeks ago, Mozilla let one of their certs expire.

Making passwords expire every 90 days was dumb. All those systems that couldn't handle Y2K were problems. But for certs to fail on a specific date is a design feature.

Re:Lol

bahahahaha

Staff?

[slazzy]

You'd think a company the size of google would have a full time employee dedicated to renewing domain names, certificates and other digital subscriptions of great importance.

Re: Staff?

It's Sergey's job but he was too busy screwing stewardess on the G-Jet.

Re:Staff?

[GuB-42]

They probably do, but maybe he was on holidays and he forgot to relay the notification to the person replacing him, at the same time the guy responsible for the SMTP service saw the problem but because it's the job of guy of the SSL service, he didn't do anything and...
No company is immune to this kind of problem, and certainly not the big ones. I've seen extremely stupid things, such as a power outage because the company forgot to pay the utility bill despite several reminders.

LOL

When we bought our $50k accounting system some years ago we went to Colorado for the training class.

The license had expired on the in-house training system, not noticed til we sat down to train, and it took their tech an hour to get around it :) Ooops
They did it right in front of me...so much for security.

One would think you could manage to keep the system up to date when you are BOTH the vendor AND the customer....hehe

Just clients?

[multi+io]

The certificate was used to issue Gmail's certificate for SMTP, and the expiration at 11:55am EDT caused many e-mail clients to stop receiving Gmail messages

If the certificate was "for SMTP", the problem would have affected not just end users, but also peers, i.e. other e-mail providers who wanted to deliver mail to @gmail.com addresses. Or at least they may have automatically fallen back to unencrypted SMTP delivery (which was pretty much the default before Snowden, but anyway).

Re:Just clients?

Not exactly, Most SMTP servers will use an expire cert, with a noticed placed in the message and or logs, over no encryption at all.

title wrong

[fugas]

"Google Internet Authority G2" is NOT a root certificate (subject != issuer).

Re:title wrong

[Gr8Apes]

it was the root cert for gmail, it's not a root cert for a CA.

Not uncommon in the Exchange world :)

From my experience dealing with Microsoft Exchange administrators, this comes as no surprise.

However, when people running high-performance, FOSS mailservers forget to get fresh certs before the old ones expire they are ridiculed and many even lose their jobs. There's a higher level of competence expected, I guess.

Re:Not uncommon in the Exchange world :)

[jader3rd]

From my experience dealing with Microsoft Exchange administrators, this comes as no surprise.

However, when people running high-performance, FOSS mailservers forget to get fresh certs before the old ones expire they are ridiculed and many even lose their jobs. There's a higher level of competence expected, I guess.

You're right, it totally sucks to have software that seems to be able to perform, without a crack team of competent professionals holding it together each day. All software should require massive amounts of 'competence' to manage it, instead of being able to just do what the user wanted it to do.

Re:Not uncommon in the Exchange world :)

Ha ha!

software that seems to be able to perform

Yeah, that's exactly what I want from my email server!

Re:Not uncommon in the Exchange world :)

[nuckfuts]

That's a pretty high horse you're on there.

This has nothing to do with closed source vs. FOSS. The examples I was referring to are small, non-critical applications where nobody needs to get fired because a cert warning appeared in someone's browser.

Re:Lol

Lies. You use grinder, faggot.

It's Grindr Troll.

Google has been degrading rapidly.

[Futurepower(R)]

wonkey_monkey, I'm guessing you are actually wonkey_human.

Yes, I think I have an explanation. Google has been degrading rapidly. More and more Google is out of control. To me, that is very sad. For years, Google was an amazingly excellent company.

The Google traffic map near Portland, Oregon shows traffic accidents in Seattle, 3 hours away. The design of the text in the upper left corner of Google maps is very poor.

There are many other issues of that nature.

Re: Google has been degrading rapidly.

[koan]

Yeah you have a point there, they do seem to be declining and is it just me or does youtube have the worst interface ever.

Re: Google has been degrading rapidly.

Forced read receipts on hangouts so fucking creepy and annoying, terrible gmail javascript overlay viewer, terrible gmail compose, hangouts VERY unreliable, killed statuses, killed google reader, forced real names on users then realized what a major fuck up it was and backpedaled on it. Everything has flopped since their IPO. no one wants their self driving cars and other companies are working on that already now. no one wanted their stupid google glass. they've blown money on failure after failure since their ipo. what single successful product have they had since their ipo? the only thing i can still respect from them is the new chrome pixel. the new maps is terrible, bloated and slow. i could make a list that goes on and on. their products now are about arbitrary decisions in the name of "design". very very sad.

easy one

[marcello_dl]

The message I get is: "we don't like when you use a mail client to access gmail, we'd rather prefer the web interface, potentially monitoring your behavior down to the keypress and the time before you scroll past that pic, and not letting you store the content on your PC by default. So let's start by not caring about that cert expiration, let's see what the public reactions are."

Re:easy one

No one gives a shit about the furry porn mailing lists you're subscribed to.

Re:easy one

[Gr8Apes]

I installed Chrome specifically to deal with Google, and only Google. It's almost like a self-contained dedicated mail/calendaring program, although the interface sucks compared to my desired mail programs so I don't often use it. Seems to keep Google out of my real browser's history as a bonus.

Re:easy one

[Neil+Boekend]

Only if your "real browser" runs NoScript or something similar.

Re:easy one

[Gr8Apes]

Only if your "real browser" runs NoScript or something similar.

Precisely.

Re:easy one

yes, and google just wants to give away gigabytes of storage for no particular reason. Captcha -> capacity.

Re:Lol

Thus proving my point.

Why is it good that certificates expire?

[Jeremi]

Sorry, I know this is a really basic question, but a quick Google search didn't turn up any satisfying answers.

The question is: why is it useful to have certificates expire after a particular amount of time? Isn't that similar to writing a program that contains a bug that will cause it to automatically stop working in (so many months/years)?

The only reason I can think of is that if the certificate was compromised this would make sure that people eventually stopped using it; OTOH if the certificate is compromised you'd want people to stop using it immediately, not wait (however many) months/years before stopping; so presumably this wouldn't be a sufficient mechanism to handle that use case anyway.

Re:Why is it good that certificates expire?

From IBM:

Question
FAQ: Why do certificates have an expiration date? (SCI97674)
Answer
Digital certificates are breakable and are only considered to be secure for a limited period of time.? As of 2006, a? certificate based on? the standard? 1024 bit encryption string is only considered to be secure for 1-2 years and so certificates should expire and be replaced after no more than 2 years. Note

Re:Why is it good that certificates expire?

[dcollins117]

The question is: why is it useful to have certificates expire after a particular amount of time?

For commercial certificate authorities, it is principally due to revenue generation as you have to pay them again each time you renew the certificate.

You can (and I encourage you to) create your own certificates with you as the certificate authority. You can specify any amount of time before it expires. How much time you choose before the certificate expires depends on how strongly you feel the encryption method used will stand up to future attacks. One year is probably too short. 100 years is probably too long. Pick a number that you are comfortable with, and send yourself an alert before it expires.

Re:Lol

Shouldn't you be hanging out in the men's bathroom or voting against marriage equality, senator?

Schmidt IS A Nasty Guy

This is all Eric Schmidt (Schmidt as in Shit).

The best thing in the next 48 hours for Google is that Eric "Schmidt" j-walks and gets dis-embodyed by a Budweiser Beer Truck.

Yes! Miracles Can Happen. YES!

Ha ha

Re:Schmidt IS A Nasty Guy

You are wrong, things went downhill AFTER he left the role of CEO. You have NO idea what you're talking about and I mean no personal offense. Google is fucked unless someone at the very top wakes the fucking hell up, but odds are momentum now in place will almost surely take its course in similar enough way it did at Microsoft and Yahoo.

Re:Lol

What is equality? Can all humans be perfectly equal? Why do you ask such things of people to be?

It's ok to forget these postmaster...

[Kekke]

And it's not that of a big deal anyways since this mishap occurred conveniently on your last day @ the job.

Aha!

[doccus]

Yup, my OSX Mail app informed me of that as well. It simply asked me if I wanted to continue. I assumed there was some kind of server problem accessing the certificates. After all, Google couldn't possibly be that incompetent as to let their certs expire. It used to be a common event back in the day, when Netscape 4 was current, that certs would expire all the time. But not now. Too busy snooping in on everyone else , I guess, to bother to check at home..

Re: Lol

Ha looking for friends lol