RSA 2048-bit encryption for all Google SSL certs, root certificate

Google today became the latest big name to announce that it is beefing up encryption on its digital certificates to stronger 2048-bit encryption keys.

Stephen McHenry, director of information security engineering at Google, said today in a post that Google will upgrade all of its SSL certs to the new length by the end of this year -- the first wave starting on Aug. 1. Google also will upgrade the root certificate that it uses to sign its SSL certificates to 2048-bit.

The Certificate Authority/Browser (CA/B) Forum has mandated that CAs upgrade their 1024-bit key RSA certs for SSL sites and code-signing by the end of this year. Several major vendors, including Symantec and Microsoft, have announced they are upgrading their SSL certs to the 2048-bit key length as part of an industry trend to ratchet up security for SSL. SSL has been under scrutiny in the past few years, as researchers have demonstrated various types of attacks and cracks of the protocol.

"I think pretty much everyone is moving to 2048 bits by the end of 2013, and that's likely the reason Google is," says Ivan Ristic, director of engineering at Qualys. "Microsoft, Microsoft, NIST, CA/B Forum -- they all require transition to 2048-bit keys by the end of the year. The CA/B forum is doing a great job with their Baseline Requirements."

[Amid growing concerns of threats to and the integrity of the certificate authority (CA) infrastructure, the world's biggest CAs have banded together to promote and evolve stronger website security. See Major Certificate Authorities Unite In The Name Of SSL Security.]

The National Institute of Standards (NIST) has recommended the discontinuation of 1024-bit certificates at the end of this year, and browser and CA members of the CA/Browser Forum have adopted NIST's guidelines here.

"Most client software won't have any problems with either of these changes, but we know that some configurations will require some extra steps to avoid complications. This is more often true of client software embedded in devices, such as certain types of phones, printers, set-top boxes, gaming consoles, and cameras," Google's McHenry said.

In order to avoid any problems for client software, Google recommends validating the certificate chain; including "a properly extensive" set of the root certificates; supporting Subject Alternative Names (SANs); and supporting the Server Name Indication (SNI) extension.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights