Thursday, May 5, 2011

Some observations on the rekey of encrypted.google.com...

(This is a fairly technical post about monitoring changes in PKI infrastructure. Unless that sentence interests you, you probably don't want to read further.)

Since the Comodo CA issue I've been playing around with some of the PKI monitoring infrastructure including Perspectives and the Google Certificate Catalog. So when I heard that encrypted.google.com was rekeyed today, I decided to see what those monitoring infrastructures saw. A couple things surprised me.

First, I happened to have a browser window open to encrypted.google.com from the previous day when it was still using the old certificate. So I saved both the old and new certificates. From the certificates it was clear it wasn't just a new certificate for the same key, but a new key (along with a update of the validity period from 2/2011-2/2012 to 4/2011-4/2012).

Then, I looked at Perspectives, and it showed the new certificate (94:47:cd:b3:15:94:94:0c:f5:fd:5c:1b:b7:3c:ee:ce - the blue below with the purple being the old certificate) as just starting to be seen, no surprise there.








But, looking a little more carefully at the individual notary responses, while two notaries had either not seen it yet or just seen it in the last day, the other two have been seeing the new certificate for a while. hostway.ron.lcs.mit.edu saw the new certificate briefly back in April:

Key = 94:47:cd:b3:15:94:94:0c:f5:fd:5c:1b:b7:3c:ee:ce
 start: Tue Apr 26 02:28:11 2011
 end  : Tue Apr 26 14:28:07 2011
 start: Tue May  3 14:28:41 2011
 end  : Thu May  5 02:28:55 2011
And mvn.ron.lcs.mit.edu:8080 has been seeing it on and off for a week like clockwork:

Key = 94:47:cd:b3:15:94:94:0c:f5:fd:5c:1b:b7:3c:ee:ce
 start: Fri Apr 29 14:12:06 2011
 end  : Sat Apr 30 02:12:06 2011
 start: Sat Apr 30 14:12:05 2011
 end  : Sun May  1 02:12:06 2011
 start: Sun May  1 14:12:06 2011
 end  : Mon May  2 02:12:11 2011
 start: Mon May  2 14:12:18 2011
 end  : Tue May  3 02:12:20 2011
 start: Tue May  3 14:12:17 2011
 end  : Wed May  4 02:12:23 2011
 start: Wed May  4 14:12:22 2011
 end  : Thu May  5 02:12:25 2011 
Then I went and queried Google Certificate Catalog:
$ dig +short 20115245c15b7650f11e23985f117728cc8dcdb2.certs.googlednstest.com TXT
"15079 15098 19"
It has seen the new certificate for 19 days. If you do the math, the first day it saw the certificate works out to be April 14th, which is the day after it was issued (according to the certificate itself). So either it is clued into the issuance, or Google uses the certificate internally for a while before the world sees it.

So what does this mean? If this rekey is any indication, it means these things don't happen in a clean binary manner. Different parts of the network may see new certificates before others, and maybe for short spurts cutting back and forth between new and old. Looking at the detailed responses from Perspectives, previous changes for encrypted.google.com also show a similar bouncing back and forth (particularly with hostway.ron.lcs.mit.edu). This is turn means that certificate checkers using these infrastructures are going to have to be tolerant of this sort of noise during a change over.

Also, looking at Perspectives long term data for encrypted.google.com, it looks like a change happens every two months or so (note, one can't tell from this if they re-key or just create a new certificate):