[liberationtech] Gmail SSL Certificate Churn?

Nick Daly nick.m.daly at gmail.com
Mon Jan 14 06:16:42 PST 2013 

Sky, the cert fails because I'm (very, very slowly) trying out
different PGP-SSL bridges (it's four or five projects down, at this
point).  Right now, this means that my cert is self-signed, and that
it can be verified by checking the PGP signature on the authentication
statement:

http://lists.alioth.debian.org/pipermail/freedombox-discuss/2012-June/003880.html

So far, I've learned that this approach isn't very scalable. :)

You can check the site without HTTPS by going to:
www.betweennowhere.net/blog/2013/01/gmails-changing-ssl-certificates/

The betweennowhere.net site just redirects to the
https://www.betweennowhere.net site anyway.

On Sat, Jan 12, 2013 at 9:44 PM, Sky (Jim Schuyler) <sky at cyberspark.net> wrote:
> Rapidly means several days to a week for google.com. We (Cyberspark.net)
> watch the Google.com SSL certs (not gmail) and it takes at least a few days
> as they roll new certs onto multiple IP addresses (round robin DNS). I have
> only monitored this for the last two years, but it's been the same both
> years. I have never understood why they don't or can't deploy the new certs
> more rapidly, and it does set off repeated alarms within our systems. But as
> long as they are valid and properly signed we just watch and smile.
>
> DNS rotates the address for Google.com among a number of IP addresses, and
> they don't update all of those servers at the same time, so it appears to
> our monitors as "thrashing" back and forth between the old and the new
> certs.
>
> I wonder if anyone in the group knows whether there's any good reason they
> should or shouldn't push new certs on all machines at the same time?
>
> (Nick -- would like to see what you have online, but won't blast thru a
> certificate warning. Perhaps you have it somewhere else.)
>
> -Sky
>
>
> On Jan 12, 2013, at 2:57 PM, John Adams <jna at retina.net> wrote:
>
> Additionally, while you're complaining about other people's SSL
> certificates, you should fix yours. :)
>
>
>
> On Sat, Jan 12, 2013 at 2:54 PM, John Adams <jna at retina.net> wrote:
>>
>> Google has stated publically that they rapidly roll their SSL
>> certificates. Nothing to see here, no blog post to write, move along now...
>>
>> -j
>>
>>
>> On Sat, Jan 12, 2013 at 2:19 PM, Nick M. Daly <nick.m.daly at gmail.com>
>> wrote:
>>>
>>> Hi folks, can you help me understand how to interpret this data?  It
>>> appears that Gmail's SSL certificate changed fairly frequently during
>>> the month of December.  That seems wrong to me.  What's this all mean?
>>>
>>>
>>> https://www.betweennowhere.net/blog/2013/01/gmails-changing-ssl-certificates/
>>>
>>> The weirdest part isn't how the 0E:66... certificate disappeared on
>>> November 20th (or December 5th), but how it came back into circulation
>>> on or around December 20th.
>>>
>>> Thanks for any clarification you can offer on this situation,
>>> Nick
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech

More information about the liberationtech mailing list