Google updates SSL certificates to 2048-bit encryption

By Peter Gothard
31 Jul 2013 View Comments
Shadowed hand hovering over keyboard - de-montfort-university-deloitte

Google has announced the company is in the process of migrating its SSL [Secure Sockets Layer] certificates from 1024-bit to 2048-bit levels of encryption.

Google Identity Team's Tim Bray describes the decision as "part of our continuous effort to increase internet security for Google and our users".

Further reading

The company said the rollout will be completed in the next few months.

While increased security is a welcome move, Google has also made it clear it is aware - and considerate - of clashes with various instances of client software, of which only a couple are apparently a real danger.

"The first is people who are using a very old home-compiled version of OpenSSL with an out-of-date CA [certificate authority] database," said Bray.

"Then there are instances of embedded-client software with (against the best advice of all the experts) hard-coded certificate logic, perhaps for reasons of saving space."

However, Google is also advising that firmware updates for devices that have hard-coded root certificates may now be unable to connect to the company's HTTPS services.

Rather than taking a new root certificate from Google, the company recommends affected hardware begins using certification systems that allow new root certificates to be added on the fly.

Google talks specifically about certain Qualcomm modem-driven Android devices that have hard-coded root certificates within, meaning that while Android itself can update certificates, the hardware itself could not.

Google is firm that it will not just release the new root certificates to allow users or firms to hard-code it into devices as before.

"That is the wrong way to fix the problem. Certificates can change on a moment's notice, and software that uses them must be prepared to deal with that.

"While in the past, root certificates have not changed, that is less likely in the future. CAs are now under attack and the compromise of a CA's root certificate would require revocation."

Reader comments
blog comments powered by Disqus
Newsletters
Is it time to open Windows?

Computing believes that Microsoft will start offering Windows free of charge by 2017. Is this a good thing for the enterprise?

57 %
16 %
6 %
18 %
3 %