Google SSL certs expire

July 29th, 2008 | by Andy |

Google reported today that their SSL certs had expired on their SMTP service. Although I guess this not a huge deal, and is more about image and user inconvenience than a real security issue, I think it does illustrate a continuing problem that the industry is well aware of.

No, not that SSL certs are hard to manage - the well established principle that relying on humans sucks.

So many of our policies and procedures rely on a carbon based life form deciding or remembering to do the right thing. In this case, I guess either:

  • somebody was supposed to make sure the certs stayed up to date
  • they were supposed to enter the existence of the cert into an automated tracking system
  • or the monitoring system failed and nobody noticed

We need to stop assuming that people will have the time and motivation to remember and do the right things to keep the policy engines running smoothly. Instead, policy needs to be driven by automation and compliance needs to become the path of least resistance for the carbon units.

We must always know our endpoints, know what and where they are and what they do. Scanning is a valuable tool here, but it needs to be augmented with other tools that will take the scan results and test that each endpoint is and stays in policy.

If your policy is that SSL certs must be kept up to date, then its not hard to automate a test to measure if each endpoint has any certs and if they are going to expire any time soon.

Your top level Security Governance Framework should mandate that the Security Program is driven by automation and every exception to that principle must be justified.

You must be logged in to post a comment.