
Gmail users hit by software glitch - dolftax
http://www.bbc.com/news/technology-32194202
======
praseodym
The issue was that they let their own intermediate certificate expire, even
though the leaf certificate for smtp.gmail.com was still valid:
[http://www.securityweek.com/google-lets-smtp-certificate-
exp...](http://www.securityweek.com/google-lets-smtp-certificate-expire)

It's good to note that many expiration checkers (e.g. for Nagios/Icinga) only
check the expiration date of the leaf certificate, so you'll be in trouble if
the intermediate certificate expires. However, I don't think any commercial CA
will give out certificates with an expiration date longer than their own
intermediate or root.

------
Kenji
If you think about it, it's not a software glitch, it's actually software
working perfectly well. It'd be a glitch if the certificate ran out and the
operation continued normally.

I wonder if this problem has been abused to launch MitM attacks. I bet many
people just clicked away the warnings and proceeded.

~~~
cookingrobot
Wouldn't that attack be possible even without this problem?

------
andrewstuart2
It may not have been intentional, but I wasn't a fan of the the seeming
implication in the last paragraph that this was either related to or even in
the ballpark of being as egregious as CNNIC abusing their authority as a CA.

------
coldcode
I don't know about anyone else, but I despise the word 'glitch'. It makes a
bug sound like it only happened once.

~~~
moron4hire
It also makes it sounds like the defect is nobodies fault, as if it came from
some external source, like sun spots or something. The description of the
early healthcare.gov as "glitchy" angered me.

You glitch a radio by running a microwave oven next to it. The radio's failure
to work correctly is not the radio designer's fault.

I similarly don't like the word "bug". Bug implies it wasn't always there,
that it just got in somehow, snuck in through the cracks.

I try to always use the word defect.

~~~
ashmud
Or that a bug literally got into the machine. It seems more analogous to edge
conditions that weren't covered, which could overlap with actual defects. For
example, input ranges that were "promised" to never be in a data set, but
ended up happening anyway.

------
robbyt
Here is a screenshot I took of the expired cert:
[https://twitter.com/robbyt/status/584414823259181056](https://twitter.com/robbyt/status/584414823259181056)

