Google to lengthen SSL encryption keys from August

By the end of the year, Google's SSL certificates will use 2,048-bit keys

Google plans to upgrade the security of its SSL (Secure Sockets Layer) certificates, an important component of secure communications.

SSL certificates are used to encrypt communication and verify the integrity of another party with which a user is interacting. Its strength lies in the length of the private signing keys used for the certificates.

Keys that are less than 1,024 bits are considered weak, and 512- and 768-bit keys have been factored to reveal a private key. Google has been using 1,024-bit keys, but will move to 2,048-bit keys, wrote Stephen McHenry, Google's director of information security engineering, in a blog post Thursday.

"We will begin switching to the new 2048-bit certificates on August 1st, to ensure adequate time for a careful rollout before the end of the year," he wrote. "We're also going to change the root certificate that signs all of our SSL certificates because it has a 1024-bit key."

McHenry warned that most client software won't have trouble with the change, but client software embedded in some phones, printers, set-top boxes, gaming consoles and cameras could have problems.

He wrote that devices making SSL connections with Google will need to support normal validation of the certificate chain, maintain an extensive set of root certificates and support Subject Alternative Names (SANs), which allows one SSL certificate to validate several hosts.

Google's move is prudent, but SSL still has other weak points.

Hundreds of organizations around the world can issue SSL certificates that are tied back to a so-called Certificate Authority. These organizations, known as intermediates, have been targeted by hackers. Creating a fraudulent certificate SSL certificate can make it appear a person is visiting a legitimate website when in fact it is fraudulent.

Google was the victim of such an attack in 2011 after a Certificate Authority called DigiNotar was breached. Hackers generated at least 500 fraudulent SSL certificates, including one that was used in attempted man-in-the-middle attacks against Gmail users in Iran.

In 2009, security researcher Moxie Marlinspike created a tool called SSLstrip, which allows an attacker to intercept and stop a SSL connection, although there is a fix that will block such an attack. Attackers using the tool can spy on whatever data is sent to a fake website.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Google

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?