Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Google Upgrading SSL Certificates to 2048-bit

Google plans to upgrade its SSL certificate ecosystem to tighten security.

On Aug. 1, Google will begin switching to the new 2048-bit certificates to make the encryption used to connect to its services that much stronger.

Google plans to upgrade its SSL certificate ecosystem to tighten security.

On Aug. 1, Google will begin switching to the new 2048-bit certificates to make the encryption used to connect to its services that much stronger.

“Protecting the security and privacy of our users is one of our most important tasks at Google, which is why we utilize encryption on almost all connections made to Google,” blogged Stephen McHenry, director of information security engineering at Google. “This encryption needs to be updated at times to make it even stronger, so this year our SSL services will undergo a series of certificate upgrades—specifically, all of our SSL certificates will be upgraded to 2048-bit keys by the end of 2013.”

RelatedAre Certificate Revocation Processes Putting the Internet at Risk?

Google SSL “We will begin switching to the new 2048-bit certificates on August 1st, to ensure adequate time for a careful rollout before the end of the year,” he added. “We’re also going to change the root certificate that signs all of our SSL certificates because it has a 1024-bit key.

Though most client software won’t have any problems as a result of these changes, some configurations will require additional steps to avoid complications. To ensure a smooth transition, client software that makes SSL connections to Google must perform normal validation of the certificate chain, include a properly extensive set of root certificates contained and support Subject Alternative Names (SANs).

“Also, clients should support the Server Name Indication (SNI) extension because clients may need to make an extra API call to set the hostname on an SSL connection,” McHenry blogged. “Any client unsure about SNI support can be tested against https://googlemail.com—this URL should only validate if you are sending SNI.”

McHenry also listed a number of examples of improper validation practices that could lead to the inability of client software to connect to Google using SSL after the upgrade, such as matching any other certificate exactly or hard-coding the expected root certificate.

“Any software that contains these improper validation practices should be changed,” he wrote.

More detailed information can be found here.

Related: Are Certificate Revocation Processes Putting the Internet at Risk?

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Funding/M&A

Identity and access governance vendor Saviynt has closed a $205 million financing round.

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...