[liberationtech] Gmail SSL Certificate Churn?

Sky (Jim Schuyler) sky at cyberspark.net
Sat Jan 12 19:44:12 PST 2013 

Rapidly means several days to a week for google.com. We (Cyberspark.net) watch the Google.com SSL certs (not gmail) and it takes at least a few days as they roll new certs onto multiple IP addresses (round robin DNS). I have only monitored this for the last two years, but it's been the same both years. I have never understood why they don't or can't deploy the new certs more rapidly, and it does set off repeated alarms within our systems. But as long as they are valid and properly signed we just watch and smile.

DNS rotates the address for Google.com among a number of IP addresses, and they don't update all of those servers at the same time, so it appears to our monitors as "thrashing" back and forth between the old and the new certs.

I wonder if anyone in the group knows whether there's any good reason they should or shouldn't push new certs on all machines at the same time?

(Nick -- would like to see what you have online, but won't blast thru a certificate warning. Perhaps you have it somewhere else.)

-Sky


On Jan 12, 2013, at 2:57 PM, John Adams <jna at retina.net> wrote:

> Additionally, while you're complaining about other people's SSL certificates, you should fix yours. :)
> 
> 
> 
> On Sat, Jan 12, 2013 at 2:54 PM, John Adams <jna at retina.net> wrote:
> Google has stated publically that they rapidly roll their SSL certificates. Nothing to see here, no blog post to write, move along now...
> 
> -j
> 
> 
> On Sat, Jan 12, 2013 at 2:19 PM, Nick M. Daly <nick.m.daly at gmail.com> wrote:
> Hi folks, can you help me understand how to interpret this data?  It
> appears that Gmail's SSL certificate changed fairly frequently during
> the month of December.  That seems wrong to me.  What's this all mean?
> 
> https://www.betweennowhere.net/blog/2013/01/gmails-changing-ssl-certificates/
> 
> The weirdest part isn't how the 0E:66... certificate disappeared on
> November 20th (or December 5th), but how it came back into circulation
> on or around December 20th.
> 
> Thanks for any clarification you can offer on this situation,
> Nick
> 
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130112/8350f8ee/attachment.html>

More information about the liberationtech mailing list