Google plans to upgrade its SSL certificate ecosystem to tighten security.
On Aug. 1, Google will begin switching to the new 2048-bit certificates to make the encryption used to connect to its services that much stronger.
“Protecting the security and privacy of our users is one of our most important tasks at Google, which is why we utilize encryption on almost all connections made to Google,” blogged Stephen McHenry, director of information security engineering at Google. “This encryption needs to be updated at times to make it even stronger, so this year our SSL services will undergo a series of certificate upgrades—specifically, all of our SSL certificates will be upgraded to 2048-bit keys by the end of 2013.”
Related: Are Certificate Revocation Processes Putting the Internet at Risk?
“We will begin switching to the new 2048-bit certificates on August 1st, to ensure adequate time for a careful rollout before the end of the year,” he added. “We’re also going to change the root certificate that signs all of our SSL certificates because it has a 1024-bit key.
Though most client software won’t have any problems as a result of these changes, some configurations will require additional steps to avoid complications. To ensure a smooth transition, client software that makes SSL connections to Google must perform normal validation of the certificate chain, include a properly extensive set of root certificates contained and support Subject Alternative Names (SANs).
“Also, clients should support the Server Name Indication (SNI) extension because clients may need to make an extra API call to set the hostname on an SSL connection,” McHenry blogged. “Any client unsure about SNI support can be tested against https://googlemail.com—this URL should only validate if you are sending SNI.”
McHenry also listed a number of examples of improper validation practices that could lead to the inability of client software to connect to Google using SSL after the upgrade, such as matching any other certificate exactly or hard-coding the expected root certificate.
“Any software that contains these improper validation practices should be changed,” he wrote.
More detailed information can be found here.
Related: Are Certificate Revocation Processes Putting the Internet at Risk?