Google Public CA is down

Original Article ↗ Hacker News Discussion ↗

YouTube / Service Symptoms

  • Many users saw YouTube’s homepage and recommendations fail while direct video links, search, history, playlists, and subscriptions often still worked.
  • Behavior was inconsistent: some could access subscriptions, others saw errors or blank pages; mobile apps sometimes failed completely.
  • Issue appeared global (reports from EU, SE Asia, multiple VPN locations).
  • Other services (e.g., Heroku) also showed problems, leading to speculation about broader infrastructure or certificate-related issues.

Relationship to Google Public CA Outage

  • Several commenters doubted that a CA outage alone would directly take down YouTube, suggesting a shared underlying infrastructure issue instead.
  • Others proposed that if Google relies heavily on short-lived certificates and automated issuance for ephemeral instances, a CA halt could block new instances from getting certs, indirectly causing outages.
  • For persistent services, typical ACME renewal windows (tens of days) should tolerate an 8-hour CA outage; YouTube’s behavior suggests more aggressive or different certificate usage patterns.

PKI, Compliance, and Short-Lived Certificates

  • The status page wording (“ongoing incident that will force issuance to be halted”) was read as suggesting a compliance problem (e.g., issuance of non‑compliant certificates), prompting an intentional stop.
  • Discussion covered Baseline Requirements, browser root store policies, and how even “minor” rule violations act as a “brown M&Ms” test for CA trustworthiness.
  • Some argued these strict rules prevent bigger failures; others complained that protections against theoretical risks can cause real‑world outages.
  • Debate over ever-shorter certificate lifetimes: critics worry outages like this become more dangerous; defenders note renewals should happen well before expiry and that multi‑CA failover exists (but is rarely deployed).

Centralization, Risk, and “The Great Oops”

  • Extended debate on whether a major cloud provider could ever trigger catastrophic, large‑scale data loss (“The Great Oops”) via tooling, automation, or misconfiguration.
  • One side calls such an event “essentially impossible” due to layered controls; the other notes past serious incidents, cascading config failures, and argues that at scale, human error plus orchestration tools always pose non‑zero systemic risk.
  • Some see certificates as effectively becoming “licenses to publish,” raising concerns about central control and dependency on a few CAs.

User Reactions, Alternatives, and Media Trends

  • Some celebrated the temporary disappearance of YouTube recommendations as a productivity boost; others emphasized YouTube’s huge value for practical learning.
  • Discussion diverged into Nebula and other alternatives, plus worries about YouTube Shorts and the impact of ultra-short content on attention spans, especially for children.
  • Podcasts were praised as a fallback, but there was frustration with intrusive, hyper-local ad insertion and fears of “radio 2.0” (long content padded heavily with ads).

Miscellaneous

  • Heroku issues were noted and tied (speculatively) to cert rotation relying on Google’s CA, with broader commentary on Heroku’s decline post‑acquisition.
  • Some nitpicked Google’s internal jargon (“issuance flow has been undrained”) as unnecessarily opaque; “restored” would be clearer.
  • Overall sentiment mixed technical curiosity, CA‑ecosystem concern, and lighthearted jokes about trust and productivity being “down.”