X

Google finishes 2,048-bit security upgrade for Web privacy

Prodded by "concerns about overbroad government surveillance," Google beat an end-of-year deadline to retire Web certificates with less secure 1,024-bit encryption keys.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science. Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
See full bio
Stephen Shankland
2 min read
A 2,048-bit encryption key in binary is equivalent to a 617-digit number using decimal digits -- not an easy number to guess if you don't know it.
A 2,048-bit encryption key in binary is equivalent to a 617-digit number using decimal digits -- not an easy number to guess if you don't know it. Wolfram Alpha

Never again are you going to get a Google Web site whose security certificate is protected with comparatively weak 1,024-bit encryption.

The Net giant has secured all its certificates with 2,048-bit RSA encryption keys or better, Google security engineer Dan Dulay said in a blog post Monday. Certificates are used to set up encrypted communications between a Web server and Web browser.

That means two things. First, traffic will be harder to decrypt since 1,024-bit keys aren't in use at Google anymore. Second, retiring the 1,024-bit keys means the computing industry can retire the technology altogether by declaring such keys untrustworthy.

Google has been aggressively moving to stronger encryption because of U.S. government surveillance by the National Security Agency. According to documents leaked by former NSA contractor Edward Snowden, the agency gathered bulk data off Internet taps, including unencrypted data sent between company data centers on its own network, and actively worked to undermine encryption.

Google said it beat its internal end-of-year deadline for the 2,048-bit move. It's also moved to encrypt its internal data transfer between data centers, a move that Yahoo also is making.

In other words, the Net's technology giants are working actively to make surveillance, authorized or not, significantly harder.

Clicking on Chrome's green lock icon in the address bar lets you see details of the encryption used for a secure connection.
Clicking on Chrome's green lock icon in the address bar lets you see details of the encryption used for a secure connection. (Click to enlarge.) screenshot by Stephen Shankland/CNET

"Worry in Silicon Valley/Puget Sound: furor over NSA will cost billions cuz foreign customers fear US companies can't guarantee security," tweeted Strobe Talbott, president of analyst firm Brookings Institution, referring to the geographic regions where tech powers such as Google, Facebook, Yahoo, Microsoft, Twitter, Apple, LinkedIn, and Amazon are located.

There's a lot of work to be done yet, though. Google also supports a standard called "forward secrecy," which uses different keys for different sessions so that decrypting a single message doesn't mean previous messages can likewise be decrypted using the same key. But many other Net giants don't support forward secrecy -- though that's changing, too.

Services and Software Guides

VPN
Cybersecurity
Streaming Services
Web Hosting & Websites
Other Services & Software
Services and Software Coupons