Google Doubling Strength Of SSL Keys For Privacy Boost

Thomas Brewster,

Google’s Schmidt promises better privacy as the company announces bolstered SSL

Google is upgrading all of its SSL certificates to 2048-bit keys by the end of 2013, which will make using its services more private.

The news came after Google’s chairman Eric Schmidt said the company has “a clear business incentive” to protect user privacy. It has been heavily criticised for allegedly doing the opposite in the past, with Microsoft hounding it in “Scroogled” marketing pushes noting how Google looks through people’s personal data for advertising purposes.

Yesterday evening, the tech titan said it would begin switching to the new 2048-bit certificates on 1 August, and its root certificate was included.

Google-Logo-On-WallSSL certificates are used in a chain, designed to verify services delivered over HTTPS, with the root certificate having the final say on whether a service is trusted. By strengthening keys, Google is reducing the chance a hacker could crack them to snoop on communications.

Google SSL boost

There could be some technical issues for software makers hooking up to Google services, the firm admitted, but it has offered advice on its blog.

“Most client software won’t have any problems with either of these changes, but we know that some configurations will require some extra steps to avoid complications,” said Stephen McHenry, director of information security engineering.

“This is more often true of client software embedded in devices such as certain types of phones, printers, set-top boxes, gaming consoles, and cameras.

“For a smooth upgrade, client software that makes SSL connections to Google (e.g. HTTPS) must:

  • Perform normal validation of the certificate chain;

  • Include a properly extensive set of root certificates contained. We have an example set which should be sufficient for connecting to Google in our FAQ. (Note: the contents of this list may change over time, so clients should have a way to update themselves as changes occur);

  • Support Subject Alternative Names (SANs).”

SSL security has been in the spotlight repeatedly in recent times. Many are interested in how the UK government plans to crack SSL communications if it gets the go ahead with its Communications Data Bill, otherwise known as Snoopers’ Charter. The proposed law would give police greater and faster access to citizens’ comms information.

The deep packet inspection technology is available to look into SSL traffic, however. Blue Coat is building up a significant portfolio that can probe encrypted packets travelling over SSL, having just bought Solera Networks, which claims to provide something akin to a digital video recorder (DVR) for the network.

What do you know about Internet security? Find out with our quiz!