Google beefs up its SSL keys to 2048-bits

An update to the certificate chain of the internet giant could cause issues with older and smaller hardware.

Google has announced overnight that the company will be updating its SSL certificates to 2048-bit keys, up from the current 1024-bits, and changing the search giant's certificate chain.

The task is already underway and is expected to be completed over the coming months.

Modern systems should have no issue with the update, so long as its SSL root certificates are not hardcoded. Google cites a couple of instances where systems could run into trouble — this include phones, printers, set-top boxes, and cameras.

"The first is people who are using a very old home-compiled version of OpenSSL with an out-of-date CA [certificate authority] database. Then there are instances of embedded-client software with (against the best advice of all the experts) hard-coded certificate logic, perhaps for reasons of saving space." wrote Google developer advocate, Tim Bray.

For devices that will not be able to connect to Google HTTPS services due to having hard-coded root certificates, a firmware update will be needed.

Rather than handover the root certificate to be embedded, Google instead is recommending that any hardware that needs updating, move to a mechanism where the device will be able to update new root certificates on the fly.

"Certificates can change on a moment’s notice, and software that uses them must be prepared to deal with that," says the Google Internet Authority FAQ.

"The only way to do this correctly is to build software that understands that Roots can change, and can adapt to that."

The company says that such mechanisms are needed for situations, not only where individual certificates are compromised, but also where certificate authorities themselves are compromised, have to revoke all their signed root certificates.

In 2011, a Dutch CA named DigiNotar filed for bankruptcy after an attacker was able to create a false certificate for * and conduct a man-in-the-middle attack. DigiNotar's certificates, which were used by the Dutch government, were subsequently rejected and the company liquidated.

Last week, CNet revealed that the FBI and NSA had attempted to obtain encryption master keys, which if given up to the authorities, would allow them to decrypt the contents of SSL communications.