Google To Update SSL Certificates
In an ever-changing industry, one that is full of malicious activity and hackers against cheap hosting sites and mobile apps, Google has announced they are upgrading their SSL certificates to 2048-bit keys by the end of this year. The move became necessary as new requirements set forth by the Certificate Authority/Browser Forum state only 2048-bit key minimum can be issued by a certificate authority beginning January 1, 2014.
Google plans to move to the stronger certificates beginning August 1, 2013, as well as change its root certificate that has has a 1024-bit key currently, which it uses to sign all of its SSL certificates.
Google To Update SSL Certificates: Security And Privacy First And Foremost
On the Google blog, Stephen McHenry, Director of Information Security Engineering said, “Protecting the security and privacy of our users is one of our most important tasks at Google, which is why we utilize encryption on almost all connections made to Google.”
The August 1 beginning date ensures that the company can take its time with the switch, avoiding any complications.
McHenry assured users the changes won't cause problems for most client software, but does state that certain configurations will require taking extra steps in order to avoid problems. What software could be affected? He said that this is the software embedded in devices like tablets, phones, gaming consoles, set-top boxes, printers, and cameras.
Google To Update SSL Certificates: How To Upgrade
In order to make sure things go well, any client software that connects to Google using SSL connections (like HTTPS) should do the following as quoted from McHenry's blog post.:
- “Perform a normal validation of the certificate chain;
- Include a properly extensive set of root certificates contained. We have an example set which should be sufficient for connecting to Google in our FAQ (http://pki.google .com/faq.html). (Note: the contents of this list may change over time, so clients should have a way to update themselves as changes occur);
- Support Subject Alternative Names (SANs).”
Google points out Windows Vista, 7, and 8 systems could run into trouble: “Windows Vista, 7, and 8 will phone home to get updated Roots if the chain goes back to a Root they do not recognize. XP does not, but the latest updated version does trust the root certificate we will be using.”
Google To Update SSL Certificates: Additional Considerations
McHenry also told users clients should support the Server Name Indication (SNI) extension due to the fact these clients might need to make an additional API call in order to set the hostname on an SSL connection. If a client is unsure about SNI support, it can be tested against the URL https://googlemail .com. He stressed that this should only be validated if you are sending SNI.
There are some situations that exist that could lead to the client software not being able to connect to Google using SSL when the upgrade is complete. These improper validation processes are:
– Exactly matching the leaf certificate
– Exactly matching any other certificate (Root or Intermediate signing certificate, for example)
– Hard-coding the Root certificate, especially in firmware, which is often done based on the following assumptions listed in the blog post:
- “The Root Certificate of our chain will not change on short notice.
- Google will always use Thawte as its Root CA.
- Google will always use Equifax as its Root CA.
- Google will always use one of a small number of Root CAs.
- The certificate will always contain exactly the expected hostname in the Common Name field and therefore clients do not need to worry about SANs.
- The certificate will always contain exactly the expected hostname in a SAN and therefore clients don't need to worry about wildcards.”
McHenry tells those software clients using these improper validation practices to change them at once so that the change can do what it is supposed to: lower the risk of hackers using computers with high-powered processing capabilities compromising cheap hosting sites.
Are you ready for these changes?
