Google moves forward towards a more perfect SSL
I've spent two columns recently talking about SSL news, particularly what Microsoft is up to. Probably even more than Microsoft, Google has worked hard, both with standards and leading by example, to advance the security of the Internet through SSL/TLS.
On Monday Google made another announcement along these lines: They have eliminated the last SSL certificate with a 1024-bit key from their network. Now they are all-2048-bit.
As I wrote yesterday, the National Institute of Standards and Technology (NIST) has set 2016 as a deadline for eliminating 1024-bit keys from SSL. Microsoft seems to be very far along with this as well and has given notice to companies to move to 2048.
Unlike Microsoft, Google's official position (in their Certificate Practices Statement, see Appendix B) is that they are still supporting SHA-1 hashes in certificates. Microsoft has given notice that they won't support such certificates anymore as of 2016.
Google was the first of the major Internet services to turn on SSL by default on their services. In doing so they put pressure on their competitors, and now nearly everyone turns SSL on in appropriate situations. But there is another important SSL issue where Google is way ahead of Microsoft, and it's especially timely: Forward Secrecy, sometimes called Perfect Forward Secrecy, which Google enabled two years ago.
Forward Secrecy deals with the problem of post-hoc analysis of SSL ciphertext. Consider the recent example of Lavabit: The government wanted Lavabit to hand over their SSL keys. Presumably the government had already been collecting encrypted Lavabit traffic, so if they had the keys they could decrypt the traffic contents retroactively.
Forward Secrecy changes the key agreement protocol for SSL between the client and server to ensure that if the long-term key (the one that Lavabit would have to give to the government) is compromised, it won't compromise the separate session keys used for any specific session. The session keys are randomly generated using a non-deterministic algorithm.
Google's enthusiasm two years ago for Forward Secrecy makes a lot of sense considering all the revelations in the last several months about NSA monitoring of everyone and everything. One of the advantages that an agency like the NSA has is massive computing resources. They can afford to collect huge amounts of encrypted data on the chance that it later becomes worth the hard work necessary to decrypt some of it. Forward Secrecy makes it even harder for the NSA to do this.
In fact, having Forward Secrecy enabled for the last two years means that the 1024-bit keys that Google just stopped using weren't much of a problem. The same may be true of SHA-1 (one day when practical attacks against SHA-1 are developed).
Since the NSA blowup Microsoft has been under pressure (here's an example request) to implement Forward Secrecy on their own systems. I can find some references to it on their site (such as this one on MSDN), but it's not clear how far they are from actual implementation. I asked Microsoft and got this statement:
Recent disclosures make it clear we need to invest in protecting customers' information from a wide range of threats, which if the allegations are true, include governments. We are evaluating additional changes that may be beneficial to further protect our customers' data
Whenever I write about all that Google does to protect its users I get snark-back about how they're digging through your private content in order to sell you things. Well, yeah. That's what you agree to in exchange for all those cool free services and the best protection of your data they can give against those with whom you have not agreed to trust your data. If the prospect of seeing an advertisement that has been tailored to your interests is that scary to you, take your business elsewhere.
But if you're a Google user you've benefited greatly from all the security work Google has done. In fact, even if you're not a Google user you have benefited from Google's security work.