back to article Google to double encryption key lengths for SSL certs by year's end

Google is about to start the first upgrade to its SSL certification system in recent memory, and will move to 2048-bit encryption keys by the end of 2013. The first tranche of changes is planned for August 1. The new requirements are laid out in a blog post and a FAQ on the topic. The upgrade, based on the guidelines from …

COMMENTS

This topic is closed for new posts.
  1. OneArmJack
    Black Helicopters

    What do they know?

    Google buys a D-Wave quantum computer and then 1 week later announces that it is doubling its encryption key length.

    *Takes off tin foil hat*

    1. quartzie
      Alert

      Re: What do they know?

      afaik, if the quantum computer was anywhere close to its theoretical performance, 2048 bit keys would still be ridiculously short....

      1. Archimedes_Circle

        Re: What do they know?

        You would need 1024 qubits to factor a 2**1024 coprime integer. I thought D-Wave was only a handful. If there was a security compromise do you really think d wave would still be on business to anyone other than the NSA?

      2. Gordon Pryra

        Re: What do they know?

        Its not an actual quantum computer, its a computer that makes use of some aspects of quantum science but does not do the whole "object in 2 states all the time" type thing.

  2. firefly
    Stop

    Pah

    Surely 13,407,807,929,942,597,099,574,024,998,205,846,127,479,365,820,592,393,377,723,561,443,721,764,030,​073,546,976,801,874,298,166,903,427,690,031,858,186,486,050,853,753,882,811,946,569,946,433,649,006,084,096 keys ought to be enough for anybody.

    1. Crisp

      Re: Pah

      That's going to be one big keyring.

  3. Anonymous Coward
    Anonymous Coward

    Seems a bit late

    Whenever I need publically recognized certificates I always turn to GoDaddy. Partly because of the price, but also because they really seem trustworthy to me; I came to that conclusion ever since GoDaddy started a global (company-wide) certificate revoke and re-issuing for all certificates which were made using Debian's OpenSSL; all because of the Debian OpenSSL disaster several years back.

    That move had to cost them money, I'm very sure of that, but even so they still did it. And there are many certificate selling companies out there which didn't bother at all...

    But the thing is: GoDaddy has been requiring 2048bit keys to be used for several years now. SO I can't help thinking that Google seems to be a little late to this 2048bit key party.

    1. No, I will not fix your computer
      Flame

      Re: Seems a bit late

      Personally, wouldn't touch GoDaddy for the opposite of the reasons you specify, a bad experience, and because Bob Parsons likes to shoot animals for fun.

      http://www.theregister.co.uk/2011/07/12/godaddy_shuts_down_nodaddy/

    2. Richard Lloyd
      Meh

      Re: Seems a bit late

      I tried GoDaddy for secure certs several years ago and one thing I thought was quite surprising is that they auto-renewed secure certs by default (with no renewal e-mail warning either!). And, yes, they insisted credit/debit card info was in the account to force through the renewal...

      I thought that was a somewhat dubious practice (it's generally considered wise to change your CSR when doing a renewal, so that's another reason not to like it), so when I got the first auto-renewal (yes, for a secure cert I wasn't going to renew), I ditched them and went to Servertastic instead (seem to be the cheapest UK-based SSL vendor).

      If you must use the cheapest US-based SSL issuer, I'd skip GoDaddy and try Namecheap with their PositiveSSL certs (less than 6 pounds!). They even have online chat people to assist you and will do a "file on the server" method of authentication if you don't control the e-mail for the SSL site's domain.

      As for 2048-bit SSL certs, I've no idea why the article didn't mention that most CA's have been using 2048-bits for several years now and will refuse a CSR that's only 1024-bit. Hence, Google switching to 2048-bits is barely news - they're one of the last ones to do so I suspect (OK, that's news in itself, but again not alluded to in the article).

  4. Thorne
    Black Helicopters

    In Other News...

    The US government demands Google installs a backdoor so it can continue to spy on everybody.

    1. Tchou
      Holmes

      Re: In Other News...

      US government? Ha yes : Honeywell, Boeing, Microsoft, .... tons of others.... and their secretary M. President.

  5. RonWheeler
    Windows

    Tickbox security

    who the heck does brute force attacks on SSL? Nobody. Why stuff like this is news makes me depressed about the state of IT. People and sloppy webapps are the weak points, not SSL. Doubtless security experts will earns millions in the coming months enforcing best practice analysis toolkit results.

    1. No, I will not fix your computer
      Meh

      Re: Tickbox security

      >>it's generally considered wise to change your CSR when doing a renewal

      Not just the CSR, you'll want to change the private/public key pair, if all you're doing is getting another cert with the same CSR (and obviously the same private key) then the reason for the expiry is rather moot - you may as well have got a two year as you've just given people twice as long to crack it (or in the case of a MD5 CA cert, find a collision).

This topic is closed for new posts.

Other stories you might like