Whoops! Google on Saturday let a digital certificate expire that was used to secure its smtp.google.com domain, the domain used by Gmail and Google Apps users to send outgoing email.
The certificate was issued by Google Internet Certificate Authority G2, which issues digital certificates for Google web sites and properties.
Users took to Twitter on Saturday to vent as many recieved security warnings from email clients such as Microsoft Outlook when attempts were made to connect securely to smtp.google.com.
“This Certificate has an Invalid Issuer,” was one message seen by SecurityWeek in Microsoft Outlook for Mac as of Saturday morning.
According to Google, Google Internet Authority G2 is operated in accordance with the latest version of the CA/Browser Forum Baseline Requirements and is signed by the GeoTrust Global CA.
“We’re aware of a problem with Gmail affecting a majority of users. The affected users are able to access Gmail, but are seeing error messages and/or other unexpected behavior,” Google posted to its Gmail status page Saturday afternoon.
At 3:46PM, Google posted another update to say the issue has been resolved, but without any explaination of what happened.
“The problem with Gmail should be resolved. We apologize for the inconvenience and thank you for your patience and continued support. Please rest assured that system reliability is a top priority at Google, and we are making continuous improvements to make our systems better,” the update said.
A check by online service SSL Shopper earlier on Saturday showed one of the root or intermediate certificates expired on April 4, 2015, more specifically the second certificate in the chain of trust as detailed below. The certificate in question has since been renewed and is now set to expire on Dec. 31, 2016.
Contacted by SecurityWeek, a Google spokesperson pointed to the online status page, adding that Google “likely won’t have a comment beyond that.”
“Google is moving fast to improve security for certificates that create trust online. On the web, they’ve cut certificate lifetimes for Google service down to 3 months – making it harder for bad guys to keep up,” Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, told SecurityWeek. “And they’ve introduced Certificate Transparency to help identify certificate mis-ssuance. But, the expiration of one of their intermediate CA shows how difficult it is even for one of the most advanced security teams to keep up with protecting digital certificates.”
“Technically, stopping certificate outages is just keeping track of dates and serial numbers,” Bocek continued. “But of course the problem is much bigger. It’s challenging whether you’re Google, a retailer, a health insurer, or a bank. Understanding what’s trust, not trusted, and when it should be trusted is really difficult. Without an active immune system to keep certificates in check, at best you get certificate expirations and downtime. At worst, you get the misuse of certificates like we’ve seen against Google and Microsoft in the last two weeks.”
*Updated with additional information, response from Google, comment from Venafi