Google is the latest company to take steps to strengthen SSL technology by making plans to change the length of the keys on all of its SSL certificates to 2048 bits.
SSL is the encryption system used to secure Web transmissions betweens clients and servers. It sees use in different applications, including online banking, shopping and other financial transactions. But it also works to secure connections for sensitive activities such as email, and Google offers SSL connections for most of its major online services. The company gives users the option of making SSL connections the default choice for Gmail and users also can connect to Google search over HTTPS.
To help ensure the future security of these services, Google plans to move from 1024-bit keys to 2048-bit keys by the end of this year, officials said. The change in key length makes it much harder for an attacker to use known methods to break the key. As part of the change, Google is trying to make users aware of some potential software conflicts that may occur as a result of the longer key length.
“We will begin switching to the new 2048-bit certificates on August 1, to ensure adequate time for a careful rollout before the end of the year. We’re also going to change the root certificate that signs all of our SSL certificates because it has a 1024-bit key,” said Stephen McHenry, director of Information Security Engineering at Google.
“Most client software won’t have any problems with either of these changes, but we know that some configurations will require some extra steps to avoid complications.”
McHenry said clients must have the ability to support the normal validation of a certificate chain, along with including a properly extensive set of root certificates. There are a number of things that could cause certificate validation issues after the change, McHenry said, including clients that use hashes to match certificates exactly. Also, clients with hard-coded root certificates, such as those with certificates embedded in firmware, may run into problems.
In recent years there have been a number of attacks against SSL implementations and the certificate authority infrastructure itself.
Most of these attacks, including the BEAST attack and CRIME attack and the compromises at CAs such as DigiNotar, have been on the implementation of SSL/TLS or on the CAs that sell certificates. Attacks on the protocol itself haven’t been as common, mainly because it’s much easier to find vulnerabilities in implementations or clients. Google’s move to lengthen the keys on its SSL certificates will make it even more difficult for attackers to break the keys and impersonate a valid Google SSL certificate.