Site icon Ananova Business Web Hosting

Google To Update SSL Certificates

Google To Update SSL Certificates

In an ever-changing industry, one that is full of malicious activity and hackers against cheap hosting sites and mobile apps, Google has announced they are upgrading their SSL certificates to 2048-bit keys by the end of this year. The move became necessary as new requirements set forth by the Certificate Authority/Browser Forum state only 2048-bit key minimum can be issued by a certificate authority beginning January 1, 2014.

Google plans to move to the stronger certificates beginning August 1, 2013, as well as change its root certificate that has has a 1024-bit key currently, which it uses to sign all of its SSL certificates.

Google To Update SSL Certificates: Security And Privacy First And Foremost

On the Google blog, Stephen McHenry, Director of Information Security Engineering said, “Protecting the security and privacy of our users is one of our most important tasks at Google, which is why we utilize encryption on almost all connections made to Google.”

The August 1 beginning date ensures that the company can take its time with the switch, avoiding any complications.

McHenry assured users the changes won't cause problems for most client software, but does state that certain configurations will require taking extra steps in order to avoid problems. What software could be affected? He said that this is the software embedded in devices like tablets, phones, gaming consoles, set-top boxes, printers, and cameras.

Google To Update SSL Certificates: How To Upgrade

In order to make sure things go well, any client software that connects to Google using SSL connections (like HTTPS) should do the following as quoted from McHenry's blog post.:

Google points out Windows Vista, 7, and 8 systems could run into trouble: “Windows Vista, 7, and 8 will phone home to get updated Roots if the chain goes back to a Root they do not recognize. XP does not, but the latest updated version does trust the root certificate we will be using.”

Google To Update SSL Certificates: Additional Considerations

McHenry also told users clients should support the Server Name Indication (SNI) extension due to the fact these clients might need to make an additional API call in order to set the hostname on an SSL connection. If a client is unsure about SNI support, it can be tested against the URL https://googlemail .com. He stressed that this should only be validated if you are sending SNI.

There are some situations that exist that could lead to the client software not being able to connect to Google using SSL when the upgrade is complete. These improper validation processes are:

– Exactly matching the leaf certificate

– Exactly matching any other certificate (Root or Intermediate signing certificate, for example)

– Hard-coding the Root certificate, especially in firmware, which is often done based on the following assumptions listed in the blog post:

McHenry tells those software clients using these improper validation practices to change them at once so that the change can do what it is supposed to: lower the risk of hackers using computers with high-powered processing capabilities compromising cheap hosting sites.

Are you ready for these changes?


Exit mobile version