Gmail users around the world received error messages and safety warnings Saturday because of an invalid digital security certificate that could have left their emails and other private data more vulnerable to hackers.
Google first acknowledged the reports at 1:21 p.m. Eastern time on its Apps Status Dashboard, saying that it was investigating and would provide more information shortly. Fewer than 40 minutes later, the company posted a more detailed update describing the event that was affecting "a majority of users."
Image via Robert Scoble/Flickr
"We're aware of a problem with Gmail affecting a majority of users. The affected users are able to access Gmail, but are seeing error messages and/or other unexpected behavior," Google said. It gave the all-clear at 3:46 p.m.
Digital security certificates are used to help ensure that users obtain secure connections and are protected from outside hackers and spies. Web addresses with digital security certificates often display "https" in their web addresses, rather than "http."
The bug came just four days after Google announced it would stop recognizing digital security certificates issued by the China Internet Network Information Center, or CNNIC. In a March 23 blog post, Google said it had become "aware of unauthorized digital certificates for several Google domains."
PCMag reported the digital security certificate issuer for the .cn domain, CNNIC, made a deal with MCS Holdings that would have allowed it to access "secure connections" and permission to see users' private data.
Google experienced a similar issue in July 2014 when it blocked the India-based issuer National Informatics System. At the time, Google security engineer Adam Langley admitted that the scope of the breach was "unknown."
Former Google employee Tim Bray explained to CNET how something like this could happen.
"Unfortunately, the CA [Certificate Authority] business is poorly regulated. There are too many of them, and some have questionable competence and/or ethics. This most recent story being an example," he said.
Bray compared the problem to that of a lock maker issuing keys to any other lock maker's locks, saying "a single rogue actor can give access to even the most secure bank's vaults."
It's not clear whether any users' information was affected as a result of Saturday's disruption. Google did not immediately respond to TheBlaze for further comment.
Follow Jon Street (@JonStreet) on Twitter