Google allowed one of its Gmail SSL certificates to expire days after promising users improved webmail security. Because Google's certificate for IMAP/POP traffic expired on Tuesday users were confronted by a potentially confusing "invalid certificate" warning. In some cases users may also have been left unable to send email. …
This topic is closed for new posts.
Posted Wednesday 30th July 2008 16:20 GMT
On a similar theme, they've never been bothered to do anything about the wrong certificates being associated with domains. Last November I raised the issue of the problem in this regard when navigating via http://www.google.co.uk/adsense for example, and they replied "I am happy to pass along your comments to our engineering and product teams", who went ahead and did bugger all as usual. Still broken needless to say.
Posted Wednesday 30th July 2008 17:16 GMT
No sooner did I mail Dan to offer an alternative view to his oringinal article than I read this one.
I'm sure there's a demon in the machine.
My alternative view can be seen at http://www.yaffles-corner.co.uk/serendipity/index.php?/archives/6-Time-to-Review-the-Security-Policy.html
Regards
Neil
Posted Wednesday 30th July 2008 17:16 GMT
I don't know about users being trained to avoid sites with invalid certificates.. the opposite it true in my experience. Microsofts own site is littered with them and has been for ages (the entire MSDN site for example).
Posted Thursday 31st July 2008 08:40 GMT
Are only a problem if the data one is transferring is important. Half the time, it's SSL security guarding registration details when I don't care about registering. Like the Microsoft site, for instance.
Posted Thursday 31st July 2008 12:45 GMT
They couldn't do a worse job than the Veri$ign monopoly (which includes Thawte and Geotrust).
Posted Friday 1st August 2008 18:45 GMT
While I doubt anyone will loose faith in Google's ability to secure our data and/or gmail, expired certs and the ensuing security pop-up alerts do impact consumer behavior. Over time users become conditioned to the alerts and simply begin to ignore them. This is certainly not a security best practice, especially as phishing scams abound.
Check out some compelling survey results on this topic at: http://www.venafi.com/Collateral_Library/VenafiEncryptionStudy2007.pdf
This topic is closed for new posts.
Back to the article
Driving Situational Awareness:
Reshaping IT
Assuring application service quality
Application Performance Management:
