Whoops! Google on Saturday let a digital certificate expire that was used to secure its smtp.google.com domain, the domain used by Gmail and Google Apps users to send outgoing email.
The certificate was issued by Google Internet Certificate Authority G2, which issues digital certificates for Google web sites and properties.
Users took to Twitter on Saturday to vent as many recieved security warnings from email clients such as Microsoft Outlook when attempts were made to connect securely to smtp.google.com.
“This Certificate has an Invalid Issuer,” was one message seen by SecurityWeek in Microsoft Outlook for Mac as of Saturday morning.
According to Google, Google Internet Authority G2 is operated in accordance with the latest version of the CA/Browser Forum Baseline Requirements and is signed by the GeoTrust Global CA.
“We’re aware of a problem with Gmail affecting a majority of users. The affected users are able to access Gmail, but are seeing error messages and/or other unexpected behavior,” Google posted to its Gmail status page Saturday afternoon.
At 3:46PM, Google posted another update to say the issue has been resolved, but without any explaination of what happened.
“The problem with Gmail should be resolved. We apologize for the inconvenience and thank you for your patience and continued support. Please rest assured that system reliability is a top priority at Google, and we are making continuous improvements to make our systems better,” the update said.
A check by online service SSL Shopper earlier on Saturday showed one of the root or intermediate certificates expired on April 4, 2015, more specifically the second certificate in the chain of trust as detailed below. The certificate in question has since been renewed and is now set to expire on Dec. 31, 2016.
Contacted by SecurityWeek, a Google spokesperson pointed to the online status page, adding that Google “likely won’t have a comment beyond that.”
“Google is moving fast to improve security for certificates that create trust online. On the web, they’ve cut certificate lifetimes for Google service down to 3 months – making it harder for bad guys to keep up,” Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, told SecurityWeek. “And they’ve introduced Certificate Transparency to help identify certificate mis-ssuance. But, the expiration of one of their intermediate CA shows how difficult it is even for one of the most advanced security teams to keep up with protecting digital certificates.”
“Technically, stopping certificate outages is just keeping track of dates and serial numbers,” Bocek continued. “But of course the problem is much bigger. It’s challenging whether you’re Google, a retailer, a health insurer, or a bank. Understanding what’s trust, not trusted, and when it should be trusted is really difficult. Without an active immune system to keep certificates in check, at best you get certificate expirations and downtime. At worst, you get the misuse of certificates like we’ve seen against Google and Microsoft in the last two weeks.”
*Updated with additional information, response from Google, comment from Venafi

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.
More from Mike Lennon
- Watch Now: Threat Detection and Incident Response Virtual Summit
- Registration Now Open: 2023 ICS Cybersecurity Conference | Atlanta
- NetRise Adds $8 Million in Funding to Grow XIoT Security Platform
- Virtual Event Today: Zero Trust Strategies Summit
- Virtual Event Tomorrow: Zero Trust Strategies Summit
- Watch: How to Build Resilience Against Emerging Cyber Threats
- Video: How to Build Resilience Against Emerging Cyber Threats
- Webinar Today: Understanding Hidden Third-Party Identity Access Risks
Latest News
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
