Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Google Lets SMTP Certificate Expire

Whoops! Google on Saturday let a digital certificate expire that was used to secure its smtp.google.com domain, the domain used by Gmail and Google Apps users to send outgoing email.

Whoops! Google on Saturday let a digital certificate expire that was used to secure its smtp.google.com domain, the domain used by Gmail and Google Apps users to send outgoing email.

The certificate was issued by Google Internet Certificate Authority G2, which issues digital certificates for Google web sites and properties.

Users took to Twitter on Saturday to vent as many recieved security warnings from email clients such as Microsoft Outlook when attempts were made to connect securely to smtp.google.com.  

“This Certificate has an Invalid Issuer,” was one message seen by SecurityWeek in Microsoft Outlook for Mac as of Saturday morning.

Unable to establish a secure connection to the server because the correct root certificate is not installed.

According to Google, Google Internet Authority G2 is operated in accordance with the latest version of the CA/Browser Forum Baseline Requirements and is signed by the GeoTrust Global CA.

“We’re aware of a problem with Gmail affecting a majority of users. The affected users are able to access Gmail, but are seeing error messages and/or other unexpected behavior,” Google posted to its Gmail status page Saturday afternoon.

At 3:46PM, Google posted another update to say the issue has been resolved, but without any explaination of what happened.

“The problem with Gmail should be resolved. We apologize for the inconvenience and thank you for your patience and continued support. Please rest assured that system reliability is a top priority at Google, and we are making continuous improvements to make our systems better,” the update said.

Advertisement. Scroll to continue reading.

A check by online service SSL Shopper earlier on Saturday showed one of the root or intermediate certificates expired on April 4, 2015, more specifically the second certificate in the chain of trust as detailed below. The certificate in question has since been renewed and is now set to expire on Dec. 31, 2016.  

smtp.gmail.com Chain Expired

Contacted by SecurityWeek, a Google spokesperson pointed to the online status page, adding that Google “likely won’t have a comment beyond that.”

“Google is moving fast to improve security for certificates that create trust online. On the web, they’ve cut certificate lifetimes for Google service down to 3 months – making it harder for bad guys to keep up,” Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, told SecurityWeek. “And they’ve introduced Certificate Transparency to help identify certificate mis-ssuance. But, the expiration of one of their intermediate CA shows how difficult it is even for one of the most advanced security teams to keep up with protecting digital certificates.”

“Technically, stopping certificate outages is just keeping track of dates and serial numbers,” Bocek continued. “But of course the problem is much bigger. It’s challenging whether you’re Google, a retailer, a health insurer, or a bank. Understanding what’s trust, not trusted, and when it should be trusted is really difficult. Without an active immune system to keep certificates in check, at best you get certificate expirations and downtime. At worst, you get the misuse of certificates like we’ve seen against Google and Microsoft in the last two weeks.”

 

*Updated with additional information, response from Google, comment from Venafi

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...