Did Google screw this up?
So, basically, Google screwed up their own security here, right? pic.twitter.com/aH41Np3DUI
— Ogiel (Moe Lane) (@Ogiel23) December 17, 2016
2 thoughts on “Tweet of the Day, I Need Tech Eyes On This edition.”
Comments are closed.
Yeah, I am hardware guy myself. Good luck!
So ‘broken HTTPS’ can mean a good number of different things, but generally it means a problem with the security certificate. It’s kind of like the ‘Check Engine’ light on your car – it might mean your engine is going to blow up soon, but it also might just mean your gas cap is loose.
What’s the certificate? At its most basic level, the certificate is a cryptographically secure way of knowing that when you go to google.com, you’re actually going to google.com and not someone who hijacked things in the middle. It works because in theory a Certificate Authority (companies like Verisign) is supposed to investigate and make sure that when it issues the cert that it’s really Google that got it. Occasionally they screw up and, say, issue a Microsoft.com certificate to someone who used social engineering to make it happen In that case, the cert gets canceled, which is a whole nother can of worms.
.
But anyways, one of the things you get when you retrieve the cert from a web host is its public key. Using that, you can decrypt the data the web host sent you that was encrypted. Well, it’s more complicated than that, but that’s beyond english major scope unless you just really want to know the gritty details.
.
So what can be wrong with a cert? Well, the aforementioned canceling is one thing, and that one’s bad. Indicates someone’s trying a hack. Another one is ‘I don’t recognize the folks who issued the cert’. That may be bad, or you may just be missing a Windows update. Another one is ‘The cert doesn’t match the website name’. This one happens when, say, foo.com buys bar.com and starts to host bar.com’s web, but forgets to get a cert for it, so the webhost says it’s still foo.com. Depending on the names, this one can either be completely ok, or evidence of someone trying to intercept your traffic.
.
But the most common one? Certs are issued wth an expiration date, typically one or two years. And folks don’t always remember to renew them and install the new ones when they come in. And in this case if the cert is expired by a day or two, I’d have no problems still trusting the site. That’s probably what happened to google. Except I’d guess that they updated their cert, and in the process of pushing it out to the million servers or so, the push failed on a few.