What do they know?
Google buys a D-Wave quantum computer and then 1 week later announces that it is doubling its encryption key length.
*Takes off tin foil hat*
Google is about to start the first upgrade to its SSL certification system in recent memory, and will move to 2048-bit encryption keys by the end of 2013. The first tranche of changes is planned for August 1. The new requirements are laid out in a blog post and a FAQ on the topic. The upgrade, based on the guidelines from …
Whenever I need publically recognized certificates I always turn to GoDaddy. Partly because of the price, but also because they really seem trustworthy to me; I came to that conclusion ever since GoDaddy started a global (company-wide) certificate revoke and re-issuing for all certificates which were made using Debian's OpenSSL; all because of the Debian OpenSSL disaster several years back.
That move had to cost them money, I'm very sure of that, but even so they still did it. And there are many certificate selling companies out there which didn't bother at all...
But the thing is: GoDaddy has been requiring 2048bit keys to be used for several years now. SO I can't help thinking that Google seems to be a little late to this 2048bit key party.
I tried GoDaddy for secure certs several years ago and one thing I thought was quite surprising is that they auto-renewed secure certs by default (with no renewal e-mail warning either!). And, yes, they insisted credit/debit card info was in the account to force through the renewal...
I thought that was a somewhat dubious practice (it's generally considered wise to change your CSR when doing a renewal, so that's another reason not to like it), so when I got the first auto-renewal (yes, for a secure cert I wasn't going to renew), I ditched them and went to Servertastic instead (seem to be the cheapest UK-based SSL vendor).
If you must use the cheapest US-based SSL issuer, I'd skip GoDaddy and try Namecheap with their PositiveSSL certs (less than 6 pounds!). They even have online chat people to assist you and will do a "file on the server" method of authentication if you don't control the e-mail for the SSL site's domain.
As for 2048-bit SSL certs, I've no idea why the article didn't mention that most CA's have been using 2048-bits for several years now and will refuse a CSR that's only 1024-bit. Hence, Google switching to 2048-bits is barely news - they're one of the last ones to do so I suspect (OK, that's news in itself, but again not alluded to in the article).
who the heck does brute force attacks on SSL? Nobody. Why stuff like this is news makes me depressed about the state of IT. People and sloppy webapps are the weak points, not SSL. Doubtless security experts will earns millions in the coming months enforcing best practice analysis toolkit results.
>>it's generally considered wise to change your CSR when doing a renewal
Not just the CSR, you'll want to change the private/public key pair, if all you're doing is getting another cert with the same CSR (and obviously the same private key) then the reason for the expiry is rather moot - you may as well have got a two year as you've just given people twice as long to crack it (or in the case of a MD5 CA cert, find a collision).