Experts applaud Google completion of SSL certificate upgrade

Google's faster-than-expected upgrade of all its SSL certificates to an RSA key length of 2048 bits will make cracking connections to the company's services more difficult without affecting performance, experts say.

[Google to lengthen SSL encryption keys from August]

Google said Monday the move from 1024-bit RSA, announced in May, was completed a month ahead of schedule and the company would start issuing the longer keys immediately.

The upgrade started a couple of weeks before former National Security Agency contractor Edward Snowden sent the nation in shock with revelations of NSA surveillance on Americans in its anti-terrorism program. Nevertheless, Google referred to government spying in announcing the upgrade's completion.

"The deprecation of 1024-bit RSA is an industry-wide effort that we're happy to support, particularly light of concerns about overbroad government surveillance and other forms of unwanted intrusion," Dan Dulay, security engineer for Google, said in the company's blog.

In October, Google was reportedly livid following a report by The Washington Post that the NSA had found a way to bypass the company and Yahoo's security in collecting user data. Google and other companies have also been under pressure to demonstrate they are doing everything they can legally to dampen overzealous government surveillance.

Google's latest security move is part of an industry-wide initiative among web sites that provide SSL connections, a security protocol denoted by the HTTPS in a URL. The National Institute of Standards and Technology and the CA/Browser Forum, a voluntary organization of certificate authorities and Web browser makers, have announced that 1024-bit RSA certificates would no longer be valid as of Jan. 1, 2014, Chris Grayson, analyst for security consulting firm Bishop Fox, said.

"End-users of Google products and services will likely notice no difference, but the security-conscious users can rest a bit easier knowing that Google has yet again taken another step forward in improving the security of its products and services," Grayson said.

Google issues certificates to itself through the Google Internet Authority, an intermediate certificate authority.

Doubling the key length makes the decryption time six to seven times slower, experts say. However, today's computers and browsers are powerful enough to handle the additional workload.

"The servers used by Google and the end-user workstations and devices connecting to them are likely powerful enough that the slower decryption should not be an issue," Andrew Hay, director of applied security research at CloudPassage, said.

The stronger certificates protect encrypted connections to Google's sites against brute-force attacks, which systematically check all possible keys until the correct one is found.

Before the NSA revelations, cracking 1024-bit keys was believed to require too much time and computing power to be practical. However, disclosures about the NSA's cryptanalysis capabilities have proven those assumptions wrong.

[Symantec to start revoking customer's SSL certificates by October 1]

Industry adoption of the new key length is well on its way. SSL Pulse, which tracks SSL implementations of the most popular websites, said of the 162,000 sites it surveyed, 96 percent have migrated to 2048 bits.

In September, Symantec warned customers that failing to meet the deadline could result in browsers blocking non-compliant sites and visitors receiving warnings that a site is not secure.

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecurity

More about GoogleNational Security AgencyNSARSASymantecTechnologyYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts