Root Certificate For Gmail Expired Over Weekend

While Not Evil, It’s Still Messed Up

Did you find yourself getting fewer emails on your Gmail account over the weekend? If you use a PC client or the web app, there’s a chance you might not have been receiving messages. Why? Well, because the SSL certificate for Google’s intermediate certificate authority expired Saturday. (And a hat tip to the non-trolls over at Slashdot.)

KPM_stock_033

The Great Google Forgetting Timeline

Here’s a breakdown of what happened according to Google Apps status messages posted over the weekend.

  • 4/4/15, 1:21 PM – Google reports they’re looking into reports that people are having problems.
  • 4/4/15, 2:00 PM – Aware of the problem, Google took actions to fix the problems.
  • 4/4/15, 2:58 PM – They announce it will take about an hour to fix everything.
  • 4/4/15, 3:46 PM – Problem resolved, Google issues apologies all around.

While they fixed the problem quickly, which turned out to be an expired certificate for SMTP services, one of the big questions that remain is about what took the widely used email service down for the count.

Google Quiet About Real Reason for Outage?

Google not being super anxious to talk about problems is nothing new. According to Mike Lennon at Security Week, when his publication reached out to the company they were referred to the status messages already posted online (with what sounds like a polite but firm stone wall).

“Google is moving fast to improve security for certificates that create trust online. On the web, they’ve cut certificate lifetimes for Google service down to 3 months – making it harder for bad guys to keep up,” Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, told SecurityWeek. “And they’ve introduced Certificate Transparency to help identify certificate mis-ssuance. But, the expiration of one of their intermediate CA shows how difficult it is even for one of the most advanced security teams to keep up with protecting digital certificates.”

If you recall, Google recently ran into problems with an intermediary certificate provider in Egypt using their own SSL certificate for a domain owned by Google. Yikes.

In Other Google News

The web is also abuzz with talk about Google’s next big search engine update – one that will take into account whether or not a website is easily accessible via mobile devices. Just another reminder that if you’re a big enough company, you can propel changes across the internet. Well, most of the time. (We’re talking to you, Google+). However, this super power can also be used for good purposes. Remember that Google is encouraging more webmasters to use SSL with the goal to get every website to do so by offering SEO advantages to websites using HTTPS.

The SSL Takeaway

When it comes to your SSL certificates, you want to ensure you have a back-up plan to your back-up plan. Imagine you’re Sandra Bullock in Gravity and you’re going to have a really terrible day where everything that can go wrong does go wrong. Plan for that and you might be okay. In all seriousness, keeping track of expiring certificates is part of doing business in the 21st century.

Google was quick to react and fix the problem, which is good. They have a lot of smart engineers working for them, but when you work with the team at SSL.com, you’re going to get access to help from security professionals who live and breathe computing safety. Whether you’re a small customer or a large client, we’re here to help ensure your server’s data is secure for all of your visitors.