Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Let Root Certificate For Gmail Expire

Posted by Soulskill on from the happens-to-the-best-of-us dept.

Gr8Apes writes: The certificate for Google's intermediate certificate authority expired Saturday. The certificate was used to issue Gmail's certificate for SMTP, and the expiration at 11:55am EDT caused many e-mail clients to stop receiving Gmail messages. While the problem affected most Gmail users using PC and mobile mail clients, Web access to Gmail was unaffected. I guess Google Calendar failed to notify someone.

26 of 104 comments (clear)

  1. Re:Lol by Anonymous Coward · · Score: 5, Funny

    Yeah I only use Tinder for all my communication.

  2. Obligatory XKCD by avgjoe62 · · Score: 5, Funny

    This seems so prophetic now:

    Obligatory XKCD Link

    --

    How come Slashdot never gets Slashdotted?

    1. Re:Obligatory XKCD by Anonymous Coward · · Score: 2, Insightful

      Man I love 8.8.8.8

    2. Re:Obligatory XKCD by snowgirl · · Score: 4, Interesting

      You've likely heard of Memegen, the internal Google meme forum?

      Yeah, that comic is a template, and regularly gets rolled out for random things that we were told to focus on... like "self-driving cars" or "nest" or "ionosphere skydiving VPs"

      --
      WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
    3. Re:Obligatory XKCD by X0563511 · · Score: 4, Funny

      Man, 8.8.4.4 never gets any love.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    4. Re:Obligatory XKCD by slimjim8094 · · Score: 2

      I work on Public DNS, and we have that printed out and put up on our wall. Made our day when that came out :)

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    5. Re:Obligatory XKCD by ralphsiegler · · Score: 4, Interesting

      That 8 stuff is for young-un's, we old timers love our 4.2.2.2 Originally BBN Planet 's DNS server in 1994, now owned by Level 3

    6. Re:Obligatory XKCD by Maritz · · Score: 2

      Too bad you can't use a word document, then he could format the hosts file as creatively as his long, meandering, manic and paranoid postings.

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
  3. Re:Lol by bulled · · Score: 2

    Lol, I write my patches 160 characters at a time, now to figure out why nothing has been merged...

  4. Shouldn't be possible by Lorens · · Score: 2

    because you should never sign a cert that has an expiration date later that that of the signing cert !

  5. Re:Lets encrypt by jandrese · · Score: 2

    I always find it amazing that these huge companies with enormous public domains don't have a person who's job description includes managing all of their certs and making sure they don't expire. You could even assign the job to two people just to make sure one of them doesn't get sick or something and miss one.

    --

    I read the internet for the articles.
  6. LOL ... by gstoddart · · Score: 5, Funny

    I am GRoot.

    --
    Lost at C:>. Found at C.
  7. Not uncommon in my world :) by nuckfuts · · Score: 2

    I usually figure out that a cert has expired when something breaks. For example, I like to use free certs from StartSSL on Exchange Servers. When they expire, people get warnings when accessing OWA, or smartphones stop connecting.

    If it happens to be on an SBS Server it can really be a pain, however, since it will stop working as a Terminal Services Gateway, making it difficult to log back on and replace the cert.

  8. Re:Lets encrypt by houghi · · Score: 2

    Whever I was in charge, I always saw that there where three people responsible. Because we are in Europe, we would have people having holidays between 20 to 40 days a year, so 1 would be the backup of the first and the second one would be backup for when the second one would be sick when the first one was on a holiday.

    Obviously only group email adresses should be used to contact with external partners, so a followup would be possible.

    People have called me stoopid for doing it that way, but it has saved the company more than once.

    --
    Don't fight for your country, if your country does not fight for you.
  9. Re:Lets encrypt by sycodon · · Score: 4, Interesting

    The internet has become one giant Rube Goldberg machine. Way too many parts and dependencies.

    No, I don't have an alternative, but that's not a requirement to point out that the web seems pretty fragile.

    --
    When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
  10. I doubt it by koan · · Score: 3, Insightful

    I just don't see Google slipping up by "forgetting" (how can you excuse that in this day and age?)
    I think something else happened.

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re:I doubt it by gstoddart · · Score: 3, Interesting

      Honestly, Microsoft has let the domain for Hotmail expire. In fact, they've done it more than once.

      Never underestimate the human capacity to fuck something up.

      --
      Lost at C:>. Found at C.
    2. Re:I doubt it by bzipitidoo · · Score: 2

      Hardly that. Many major sites have slipped. Only a few weeks ago, Mozilla let one of their certs expire.

      Making passwords expire every 90 days was dumb. All those systems that couldn't handle Y2K were problems. But for certs to fail on a specific date is a design feature.

      --
      Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
  11. Re:Lets encrypt by mrbester · · Score: 2

    The alert was probably sent to a GMail account.

    --
    "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
  12. Re:And the layman's translation is what again? by wonkey_monkey · · Score: 4, Funny

    As much as I like to take issue when a summary truly is unenlightening and makes unreasonable expectations of readers, I don't think this is such a case. Slashdot isn't a general news site, and does have a specific target readership, the vast majority of which are going to know what a certificate is and what SMTP is.

    And anyway, whose mother? Some mothers would need the meaning of "ISP" spelled out for them over several sentences. Some mothers don't have even a vague grasp of what the internet is. Where do you draw the line?

    At least it wouldn't be over the head of this mom.

    * How does this [-] a normal user?
    * What can they [-] or not do now?
    * What do they have [-] watch out for?

    Blimey, if you want to talk about clarity...

    --
    systemd is Roko's Basilisk.
  13. Just clients? by multi+io · · Score: 4, Informative

    The certificate was used to issue Gmail's certificate for SMTP, and the expiration at 11:55am EDT caused many e-mail clients to stop receiving Gmail messages

    If the certificate was "for SMTP", the problem would have affected not just end users, but also peers, i.e. other e-mail providers who wanted to deliver mail to @gmail.com addresses. Or at least they may have automatically fallen back to unencrypted SMTP delivery (which was pretty much the default before Snowden, but anyway).

  14. Re:Lets encrypt by multi+io · · Score: 2

    As it seems even tech giant google gets it wrong with its own certs. Lets hope that Let's Encrypt will make these problems of yesterday one day.

    Well, the web mailer wasn't affected because the site uses different certificates, and neither were Google's other gmail clients, e.g. the Gmail app on Android, because those all use the Gmail API (again, with different certificates) rather than SMTP. So if you're paranoid enough, you may suspect malice rather than sloppiness. :-P

  15. title wrong by fugas · · Score: 5, Informative

    "Google Internet Authority G2" is NOT a root certificate (subject != issuer).

  16. Re:And the layman's translation is what again? by snowgirl · · Score: 2

    Some mothers also could run circles around you talking about the internet...

    --
    WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
  17. Google has been degrading rapidly. by Futurepower(R) · · Score: 3, Interesting

    wonkey_monkey, I'm guessing you are actually wonkey_human.

    Yes, I think I have an explanation. Google has been degrading rapidly. More and more Google is out of control. To me, that is very sad. For years, Google was an amazingly excellent company.

    The Google traffic map near Portland, Oregon shows traffic accidents in Seattle, 3 hours away. The design of the text in the upper left corner of Google maps is very poor.

    There are many other issues of that nature.

  18. Re:Why is it good that certificates expire? by Anonymous Coward · · Score: 4, Informative

    From IBM:

    Question
    FAQ: Why do certificates have an expiration date? (SCI97674)
    Answer
    Digital certificates are breakable and are only considered to be secure for a limited period of time.? As of 2006, a? certificate based on? the standard? 1024 bit encryption string is only considered to be secure for 1-2 years and so certificates should expire and be replaced after no more than 2 years. Note