The Internet giant Google has made yet another major change in wake of NSA spying. Originally, their goal was to enact new security certificates with a 2,048 bit encryption by the end of the year. They beat their deadline by over a month. The new SSL certificates are in place and they are able to start removing the 1,024 bit keys early next year.
What does this mean? You see, every website that uses HTTPS must have something called an SSL certificate. These certificates have associated public/private keys which are used to encrypt and decrypt data being sent from your computer to the website and vice versa. 1,024 bit keys are currently the defacto industry standard for SSL certificate keys. Google used to use 1,024 bit keys but has now moved all their websites and services to 2,048 bit.
With at 2,048 bit encryption, it is harder for outside users (*cough* NSA *cough*) to hack and gain access to encrypted connections. A 2,048 bit key is the binary equivalent of a 617 decimal digit number.
According to Dan Dulay, a security engineer for Google, “The depreciation of 1,024 bit RSA is an industry-wide effort that ‘we’re happy to support, particularly in light of concerns about overbroad government surveillance and other forms of unwanted intrusion.”
Dulay goes on to explain that the hardware security module that contained the 1,024 bit certificates is to be destroyed once all the 1,024 certificates residing on it are revoked.
The hope is that once the 1,024 keys are retired technology, moving forward will use the more secure 2,048 bit encryption keys and declare the 1,024 keys untrustworthy. However, I’m questioning the usefulness of this.
Anyone that has heard of a 1,024 bit SSL certificate being cracked, please raise your hand. Anyone? Anyone? I didn’t think so. There are rumors of NSA and co having the ability to crack these keys, but a) those are yet unconfirmed rumors and b) even if they did have the ability, it would be on an extremely rare basis that cracking takes place simply due to the computing power necessary to break the keys. Indeed, NSA and the like don’t gain access to encrypted data by cracking encryption keys. They do it by pressuring companies into giving up their keys or stealing the keys outright. And I don’t see how moving from 1,024 to 2,048 will solve that particular problem.
Maybe Google — and the web industry — know something I don’t, but I have to ask: what is the point of replacing something that is already secure? The length of SSL keys is not the weakest link here.
[via CNet, Google Online Security Blog]