Google allowed one of its Gmail SSL certificates to expire days after promising users improved webmail security. Because Google's certificate for IMAP/POP traffic expired on Tuesday users were confronted by a potentially confusing "invalid certificate" warning. In some cases users may also have been left unable to send email. …
Google and certificates
On a similar theme, they've never been bothered to do anything about the wrong certificates being associated with domains. Last November I raised the issue of the problem in this regard when navigating via http://www.google.co.uk/adsense for example, and they replied "I am happy to pass along your comments to our engineering and product teams", who went ahead and did bugger all as usual. Still broken needless to say.
No sooner did I mail Dan to offer an alternative view to his oringinal article than I read this one.
I'm sure there's a demon in the machine.
My alternative view can be seen at http://www.yaffles-corner.co.uk/serendipity/index.php?/archives/6-Time-to-Review-the-Security-Policy.html
Are you sure?
I don't know about users being trained to avoid sites with invalid certificates.. the opposite it true in my experience. Microsofts own site is littered with them and has been for ages (the entire MSDN site for example).
Are only a problem if the data one is transferring is important. Half the time, it's SSL security guarding registration details when I don't care about registering. Like the Microsoft site, for instance.
Why aren't Google issuing their own certificates?
They couldn't do a worse job than the Veri$ign monopoly (which includes Thawte and Geotrust).
business impact of expired certs
While I doubt anyone will loose faith in Google's ability to secure our data and/or gmail, expired certs and the ensuing security pop-up alerts do impact consumer behavior. Over time users become conditioned to the alerts and simply begin to ignore them. This is certainly not a security best practice, especially as phishing scams abound.
Check out some compelling survey results on this topic at: http://www.venafi.com/Collateral_Library/VenafiEncryptionStudy2007.pdf