Feeds

back to article Google to double encryption key lengths for SSL certs by year's end

Google is about to start the first upgrade to its SSL certification system in recent memory, and will move to 2048-bit encryption keys by the end of 2013. The first tranche of changes is planned for August 1. The new requirements are laid out in a blog post and a FAQ on the topic. The upgrade, based on the guidelines from …

COMMENTS

This topic is closed for new posts.
Black Helicopters

What do they know?

Google buys a D-Wave quantum computer and then 1 week later announces that it is doubling its encryption key length.

*Takes off tin foil hat*

4
0
Alert

Re: What do they know?

afaik, if the quantum computer was anywhere close to its theoretical performance, 2048 bit keys would still be ridiculously short....

0
0

Re: What do they know?

You would need 1024 qubits to factor a 2**1024 coprime integer. I thought D-Wave was only a handful. If there was a security compromise do you really think d wave would still be on business to anyone other than the NSA?

0
0

Re: What do they know?

Its not an actual quantum computer, its a computer that makes use of some aspects of quantum science but does not do the whole "object in 2 states all the time" type thing.

0
0
Stop

Pah

Surely 13,407,807,929,942,597,099,574,024,998,205,846,127,479,365,820,592,393,377,723,561,443,721,764,030,​073,546,976,801,874,298,166,903,427,690,031,858,186,486,050,853,753,882,811,946,569,946,433,649,006,084,096 keys ought to be enough for anybody.

2
0
Silver badge

Re: Pah

That's going to be one big keyring.

1
0
Silver badge

Seems a bit late

Whenever I need publically recognized certificates I always turn to GoDaddy. Partly because of the price, but also because they really seem trustworthy to me; I came to that conclusion ever since GoDaddy started a global (company-wide) certificate revoke and re-issuing for all certificates which were made using Debian's OpenSSL; all because of the Debian OpenSSL disaster several years back.

That move had to cost them money, I'm very sure of that, but even so they still did it. And there are many certificate selling companies out there which didn't bother at all...

But the thing is: GoDaddy has been requiring 2048bit keys to be used for several years now. SO I can't help thinking that Google seems to be a little late to this 2048bit key party.

0
0
Flame

Re: Seems a bit late

Personally, wouldn't touch GoDaddy for the opposite of the reasons you specify, a bad experience, and because Bob Parsons likes to shoot animals for fun.

http://www.theregister.co.uk/2011/07/12/godaddy_shuts_down_nodaddy/

0
0
Meh

Re: Seems a bit late

I tried GoDaddy for secure certs several years ago and one thing I thought was quite surprising is that they auto-renewed secure certs by default (with no renewal e-mail warning either!). And, yes, they insisted credit/debit card info was in the account to force through the renewal...

I thought that was a somewhat dubious practice (it's generally considered wise to change your CSR when doing a renewal, so that's another reason not to like it), so when I got the first auto-renewal (yes, for a secure cert I wasn't going to renew), I ditched them and went to Servertastic instead (seem to be the cheapest UK-based SSL vendor).

If you must use the cheapest US-based SSL issuer, I'd skip GoDaddy and try Namecheap with their PositiveSSL certs (less than 6 pounds!). They even have online chat people to assist you and will do a "file on the server" method of authentication if you don't control the e-mail for the SSL site's domain.

As for 2048-bit SSL certs, I've no idea why the article didn't mention that most CA's have been using 2048-bits for several years now and will refuse a CSR that's only 1024-bit. Hence, Google switching to 2048-bits is barely news - they're one of the last ones to do so I suspect (OK, that's news in itself, but again not alluded to in the article).

1
0
Silver badge
Black Helicopters

In Other News...

The US government demands Google installs a backdoor so it can continue to spy on everybody.

1
0
Holmes

Re: In Other News...

US government? Ha yes : Honeywell, Boeing, Microsoft, .... tons of others.... and their secretary M. President.

0
0
Windows

Tickbox security

who the heck does brute force attacks on SSL? Nobody. Why stuff like this is news makes me depressed about the state of IT. People and sloppy webapps are the weak points, not SSL. Doubtless security experts will earns millions in the coming months enforcing best practice analysis toolkit results.

0
1
Meh

Re: Tickbox security

>>it's generally considered wise to change your CSR when doing a renewal

Not just the CSR, you'll want to change the private/public key pair, if all you're doing is getting another cert with the same CSR (and obviously the same private key) then the reason for the expiry is rather moot - you may as well have got a two year as you've just given people twice as long to crack it (or in the case of a MD5 CA cert, find a collision).

0
0
This topic is closed for new posts.