Google plans to upgrade the security of its SSL (Secure Sockets Layer) certificates, an important component of secure communications.
SSL certificates are used to encrypt communication and verify the integrity of another party with which a user is interacting. Its strength lies in the length of the private signing keys used for the certificates.
Keys that are less than 1,024 bits are considered weak, and 512- and 768-bit keys have been factored to reveal a private key. Google has been using 1,024-bit keys, but will move to 2,048-bit keys, wrote Stephen McHenry, Google’s director of information security engineering, in a blog post Thursday.
“We will begin switching to the new 2048-bit certificates on August 1st, to ensure adequate time for a careful rollout before the end of the year,” he wrote. “We’re also going to change the root certificate that signs all of our SSL certificates because it has a 1024-bit key.”
McHenry warned that most client software won’t have trouble with the change, but client software embedded in some phones, printers, set-top boxes, gaming consoles and cameras could have problems.
He wrote that devices making SSL connections with Google will need to support normal validation of the certificate chain, maintain an extensive set of root certificates and support Subject Alternative Names (SANs), which allows one SSL certificate to validate several hosts.
Google’s move is prudent, but SSL still has other weak points.
Hundreds of organizations around the world can issue SSL certificates that are tied back to a so-called Certificate Authority. These organizations, known as intermediates, have been targeted by hackers. Creating a fraudulent certificate SSL certificate can make it appear a person is visiting a legitimate website when in fact it is fraudulent.
Google was the victim of such an attack in 2011 after a Certificate Authority called DigiNotar was breached. Hackers generated at least 500 fraudulent SSL certificates, including one that was used in attempted man-in-the-middle attacks against Gmail users in Iran.
In 2009, security researcher Moxie Marlinspike created a tool called SSLstrip, which allows an attacker to intercept and stop a SSL connection, although there is a fix that will block such an attack. Attackers using the tool can spy on whatever data is sent to a fake website.