18
2
When trying to send email using Gmail in OS X Mail, I get:
The identity of "smtp.gmail.com" cannot be verified.
The certificate for this server is invalid. You might be connecting to a server that is pretending to be "smtp.gmail.com" which could put your confidential information at risk. Do you want to connect to the server anyway?
What to do?
Arjan
Posted 2015-04-04T16:39:19.437
Reputation: 29 084
22
In this case (April 4th, 2015) you could safely click "Connect". But in general such warnings should not be ignored. Here's how you can investigate future occurrences of such warnings:
Clicking "Show Certificate" and then selecting "Google Internet Authority G2" showed for this incident:
Google Internet Authority G2
Intermediate certificate authority
Expired: Saturday 4 April 2015 17:15:55 Central European Summer Time
This certificate has expired
And for "smtp.gmail.com":
smtp.gmail.com
Issued by: Google Internet Authority G2
Expires: Thursday 31 December 2015 1:00:00 Central European Standard Time
This certificate has an invalid issuer
So, the certificate for Gmail was still good, but the "intermediate issuer" that was used to create it didn't last as long as Gmail's certificate. That was an error at Google's; meanwhile they have installed a new certificate on smtp.gmail.com which uses a different issuer certificate. However, as this was trusted until a few hours before the problem started in April 2015 (and assuming you used it before, when all was good), it was safe to select "Connect" then.
Arjan
Posted 2015-04-04T16:39:19.437
Reputation: 29 084
3Well, in principle the fact that the intermediate is outdated means that a cautious person would no longer expect straight away that its key could not have been broken by an attacker using brute-force for a couple of years. Such an attacker could easily have forged the smtp.gmailcom certificate that you see. Of course the assumption that such an attacker succeeds precisely at th emoment o fexpiry is unfounded. Still, Google should have checked their certificate expiry schedule - encouraging users to ignore security warnings (though ok in this case) educates them into the wrong direction! – Hagen von Eitzen – 2015-04-04T18:48:25.643
@Hagen, the certificate chain is still valid; only the dates are off. (But I've emphasized that clicking Connect is fine today.) – Arjan – 2015-04-04T19:28:16.983
1Yeah, I should have said "not trusted" instead of "invalid". Of course the process of setting expiry dates is executed with enough safety margin to allow acceptance "shortly" beyond expiry date. Then again, Google won't have to even bother adding the cert to a CRL if they happened to learn now that the key was explicitly compromised. Hence the CRL safety net is removed after expiry – Hagen von Eitzen – 2015-04-04T19:42:17.237
(Very much agreed, @Hagen.) – Arjan – 2015-04-04T19:43:23.803
3Keep in mind that expired certificates are not listed in any CRLs (certificate revocation lists). Hence, if Google had previously revoked the "Google Internet Authority G2" certificate, once the certificate validity end time has passed you would no longer necessarily know about the revocation, since the revocation won't be in the CRL after that time. This is on the assumption that expired certificates are invalid anyway, so having them in the CRL would be stating the obvious. – a CVn – 2015-04-04T23:03:10.883
9
Google sent an email to those subscribed to alerts:
Google Apps for Business
Status: Service disruption
We expect to resolve the problem affecting a majority of users of Gmail at April 4, 2015 1:00:00 PM PDT. Please note that this time frame is an estimate and may change.
smtp.gmail.com is displaying an invalid certificate.
April 4, 2015 11:58:00 AM PDT
Faiyaz Ahmed
Posted 2015-04-04T16:39:19.437
Reputation: 91
3
This is not the first time either: https://www.seroundtable.com/archives/017825.html
– Antoine Jaussoin – 2015-04-04T18:43:08.8831
And by now should be fixed: https://www.google.com/appsstatus#hl=en&v=issue&sid=1&iid=bf1b188b6295f21fbfc92d7b48dfe7be
– Arjan – 2015-04-04T20:52:37.523