Original URL: http://www.theregister.co.uk/2008/07/30/gmail_certificate_expiry/
Gmail certificate expiry snafu follows security upgrade
Webmail service POP losses its fizzle
Posted in Enterprise Security, 30th July 2008 15:22 GMT
Free whitepaper – PowerEdge M-Series blades I/O guide
Update Google allowed one of its Gmail SSL certificates to expire days after promising users improved webmail security.
Because Google's certificate for IMAP/POP traffic expired on Tuesday users were confronted by a potentially confusing "invalid certificate" warning. In some cases users may also have been left unable to send email. Google fixed (http://groups.google.com/group/Gmail-Help-Announcements-and-Alerts-en/browse_thread/thread/0948f4f8b9ddb496#) the problem within hours on Tuesday afternoon (US time).
The snafu (http://isc.sans.org/diary.html?storyid=4795) comes less than a week after Gmail improved security (http://www.theregister.co.uk/2008/07/25/gmail_adds_https_only) by making sure users of the popular web mail service go through a secure connection each time they access their account online.
Forgetting to renew a digital certificate can happen to any organisation, as Microsoft and HSBC (among many others) are able to testify. Even though a certificate is out of date a secure connection with a site can still be established. Google makes it its business to index all the world's data so its own failure to manage a key domain is an embarrassing faux pas even though no harm, or much inconvenience, was caused.
Reg reader Peter Houppermans, who brought the slip-up to our attention, drily notes that users are now so well trained to blithely click on past invalid certificates, so that this sort of thing should present no great problem. ®