The security world is still feeling the effects of the gradual unfolding of revelations made by Edward Snowden part of which exposed NSA for spying on their own citizens. Amidst a myriad of outcry, harsh comments and an infinite array of pledges made by leading organizations, Google announced their frustration with the situation and focused on bringing forward the desired completion date of its rollout of 2048-bit RSA SSL certificates to provide an overall better security posture for its clients. For those who are newbies, these digital certificates are extensively used to set up secure and encrypted communications between a Web server and Web browser.
Google announced on the 18 November 2013 this work has now been successfully completed all its 1024 certificates have been replaced with stronger 2048-bit RSA encryption keys or better. While it is not impossible to break or decrypt the 2048-bit certificates (considering the immense resources NSA has at hand), it definitely gives any interested party a run for their money.
Google according to their blog post was not dependent on 1024-bit RSA certificates for their communication and extensively relied on the use of forward secrecy which requires that the private keys for a connection are not kept in persistent storage. This ensures that the compromise of a single key with not allow the hacker to decrypt retrospectively.
It might be a good idea to quickly understand how NSA has been able to tap into this data. The National Security Agency harvested bulk data from selected Internet taps that were strategically placed between the company’s own data centers. and included un-encrypted data sent between company data centers on its own network, and actively worked to undermine encryption. Google said it has also moved to encrypt its internal data transfer between data centers.
One thing to note is that this move is not initiated by Google instead New Standard for SSL Certificates Industry standards set by the Certification Authority/Browser (CA/B) Forum require that all certificates issued after January 1, 2014 MUST be at least 2048-bit key length. Any certificates that continue to use 1024-bit encryption will be likely locked down and are being strongly advised to be upgraded to 2048-bit.
Interestingly enough, this advancement is also tied into the fact that computers are becoming faster and a certificate that is less than 2048-bit will continue to be at risk of compromise by adversaries with corresponding processing capabilities. The move to the 2048-bit, which is much stronger encryption standard, is the right step in the right direction to preserve overall cyber security and make the lives of Government snoops by making it hard to perform surveillance activities.