Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Google Lets SMTP Certificate Expire

Whoops! Google on Saturday let a digital certificate expire that was used to secure its smtp.google.com domain, the domain used by Gmail and Google Apps users to send outgoing email.

Whoops! Google on Saturday let a digital certificate expire that was used to secure its smtp.google.com domain, the domain used by Gmail and Google Apps users to send outgoing email.

The certificate was issued by Google Internet Certificate Authority G2, which issues digital certificates for Google web sites and properties.

Users took to Twitter on Saturday to vent as many recieved security warnings from email clients such as Microsoft Outlook when attempts were made to connect securely to smtp.google.com.  

“This Certificate has an Invalid Issuer,” was one message seen by SecurityWeek in Microsoft Outlook for Mac as of Saturday morning.

Unable to establish a secure connection to the server because the correct root certificate is not installed.

According to Google, Google Internet Authority G2 is operated in accordance with the latest version of the CA/Browser Forum Baseline Requirements and is signed by the GeoTrust Global CA.

“We’re aware of a problem with Gmail affecting a majority of users. The affected users are able to access Gmail, but are seeing error messages and/or other unexpected behavior,” Google posted to its Gmail status page Saturday afternoon.

At 3:46PM, Google posted another update to say the issue has been resolved, but without any explaination of what happened.

Advertisement. Scroll to continue reading.

“The problem with Gmail should be resolved. We apologize for the inconvenience and thank you for your patience and continued support. Please rest assured that system reliability is a top priority at Google, and we are making continuous improvements to make our systems better,” the update said.

A check by online service SSL Shopper earlier on Saturday showed one of the root or intermediate certificates expired on April 4, 2015, more specifically the second certificate in the chain of trust as detailed below. The certificate in question has since been renewed and is now set to expire on Dec. 31, 2016.  

smtp.gmail.com Chain Expired

Contacted by SecurityWeek, a Google spokesperson pointed to the online status page, adding that Google “likely won’t have a comment beyond that.”

“Google is moving fast to improve security for certificates that create trust online. On the web, they’ve cut certificate lifetimes for Google service down to 3 months – making it harder for bad guys to keep up,” Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, told SecurityWeek. “And they’ve introduced Certificate Transparency to help identify certificate mis-ssuance. But, the expiration of one of their intermediate CA shows how difficult it is even for one of the most advanced security teams to keep up with protecting digital certificates.”

“Technically, stopping certificate outages is just keeping track of dates and serial numbers,” Bocek continued. “But of course the problem is much bigger. It’s challenging whether you’re Google, a retailer, a health insurer, or a bank. Understanding what’s trust, not trusted, and when it should be trusted is really difficult. Without an active immune system to keep certificates in check, at best you get certificate expirations and downtime. At worst, you get the misuse of certificates like we’ve seen against Google and Microsoft in the last two weeks.”

 

*Updated with additional information, response from Google, comment from Venafi

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...