Security experts praise Google's tougher encryption

Google's faster-than-expected upgrade of all its SSL certificates to an RSA key length of 2048 bits will make cracking connections to the company's services more difficult without affecting performance, experts say.

Google said last week the move from 1024-bit RSA, announced in May, was completed a month ahead of schedule and the company will start issuing the longer keys immediately.

google_logo

The upgrade started a couple of weeks before former National Security Agency contractor Edward Snowden sent the nation in shock with revelations of NSA surveillance on Americans in its anti-terrorism program. Nevertheless, Google referred to government spying in announcing the upgrade's completion.

"The deprecation of 1024-bit RSA is an industry-wide effort that we're happy to support, particularly light of concerns about overbroad government surveillance and other forms of unwanted intrusion," Dan Dulay, security engineer for Google, said in the company's blog.

In October, Google was reportedly livid following a report by The Washington Post that the NSA had found a way to bypass the company and Yahoo's security in collecting user data. Google and other companies have also been under pressure to demonstrate they are doing everything they can legally to dampen overzealous government surveillance.

Services duck surveillance

Google's latest security move is part of an industry-wide initiative among web sites that provide SSL connections, a security protocol denoted by the HTTPS in a URL. The National Institute of Standards and Technology and the CA/Browser Forum, a voluntary organization of certificate authorities and Web browser makers, have announced that 1024-bit RSA certificates would no longer be valid as of January 1, 2014, Chris Grayson, analyst for security consulting firm Bishop Fox, said.

"End-users of Google products and services will likely notice no difference, but the security-conscious users can rest a bit easier knowing that Google has yet again taken another step forward in improving the security of its products and services," Grayson said.

Google issues certificates to itself through the Google Internet Authority, an intermediate certificate authority.

Doubling the key length makes the decryption time six to seven times slower, experts say. However, today's computers and browsers are powerful enough to handle the additional workload.

"The servers used by Google and the end-user workstations and devices connecting to them are likely powerful enough that the slower decryption should not be an issue," Andrew Hay, director of applied security research at CloudPassage, said.

The stronger certificates protect encrypted connections to Google's sites against brute-force attacks, which systematically check all possible keys until the correct one is found.

Needed: Even stronger keys

Before the NSA revelations, cracking 1024-bit keys was believed to require too much time and computing power to be practical. However, disclosures about the NSA's cryptanalysis capabilities have proven those assumptions wrong.

Industry adoption of the new key length is well on its way. SSL Pulse, which tracks SSL implementations of the most popular websites, said of the 162,000 sites it surveyed, 96 percent have migrated to 2048 bits.

In September, Symantec warned customers that failing to meet the deadline could result in browsers blocking non-compliant sites and visitors receiving warnings that a site is not secure.

Subscribe to the Security Watch Newsletter

Comments