back to article Gmail certificate expiry snafu follows security upgrade

Google allowed one of its Gmail SSL certificates to expire days after promising users improved webmail security. Because Google's certificate for IMAP/POP traffic expired on Tuesday users were confronted by a potentially confusing "invalid certificate" warning. In some cases users may also have been left unable to send email. …

COMMENTS

This topic is closed for new posts.

Google and certificates

On a similar theme, they've never been bothered to do anything about the wrong certificates being associated with domains. Last November I raised the issue of the problem in this regard when navigating via http://www.google.co.uk/adsense for example, and they replied "I am happy to pass along your comments to our engineering and product teams", who went ahead and did bugger all as usual. Still broken needless to say.

0
0
Alien

Typical

No sooner did I mail Dan to offer an alternative view to his oringinal article than I read this one.

I'm sure there's a demon in the machine.

My alternative view can be seen at http://www.yaffles-corner.co.uk/serendipity/index.php?/archives/6-Time-to-Review-the-Security-Policy.html

Regards

Neil

0
0

Are you sure?

I don't know about users being trained to avoid sites with invalid certificates.. the opposite it true in my experience. Microsofts own site is littered with them and has been for ages (the entire MSDN site for example).

0
0

Invalid certs

Are only a problem if the data one is transferring is important. Half the time, it's SSL security guarding registration details when I don't care about registering. Like the Microsoft site, for instance.

0
0
jon
Stop

Why aren't Google issuing their own certificates?

They couldn't do a worse job than the Veri$ign monopoly (which includes Thawte and Geotrust).

0
0
Unhappy

business impact of expired certs

While I doubt anyone will loose faith in Google's ability to secure our data and/or gmail, expired certs and the ensuing security pop-up alerts do impact consumer behavior. Over time users become conditioned to the alerts and simply begin to ignore them. This is certainly not a security best practice, especially as phishing scams abound.

Check out some compelling survey results on this topic at: http://www.venafi.com/Collateral_Library/VenafiEncryptionStudy2007.pdf

0
0
This topic is closed for new posts.

Forums