SSL Certificates To Become More Secure in January

By the end of 2013 there will be a major change coming to many of the secure web sites and mail servers on the Internet: effective January 1, 2014 all secure certificates used on the Internet will need to be upgraded from 1024 to 2048 bit encryption. For those of you who have no idea what I am talking about, read on for a brief explanation.

The purpose of data encryption is to keep your information private. You can tell you are visiting a secure website easily enough. Look at the address bar. A standard, non-secure web address starts with http://. A secure web site starts with https://. In the case of email, a secure server would require you to use SSL (Secure Socket Layer), or another form of encryption before you could access your mailbox.  A non-secure mail server would not require this setting.

Data encryption is done by creating two keys – a public key and a private key. The stronger the key the more secure your data is. Strength is measured by the number of bits used to generate the keys. One key (private) is used to generate the encryption, and the other is used to decrypt the data when it needs to be viewed.

Further reading: “How Encryption Works” in PC Magazine.

Over the past couple of years, the companies that sell the SSL (Secure Socket layer) certificates used by web and email servers decided that the current 1024 bit encryption system was no longer secure enough. Their solution was to force everyone to upgrade their certificates or access to their secure sites would be unavailable. This, understandably, caused quite the buzz in web browser circles who would have to conform to the new standard.

Apparently, web browser developers were not exactly sure how to handle the change. Should they just find a way to allow both levels of encryption until everyone can upgrade? Or should they just drop connections to certificates that do not conform to the new standard effective the start of next year? In the end, they agreed on the latter option.

The good news is that if you have a certificate currently you may be able to get a free upgrade to your existing certificate from your provider. It will have the same expiration date as your old certificate but at least you will conform to the new standard. If you have purchased a certificate and are unsure about its status, I recommend contacting the company you purchased your certificate from.

An example of what some Certificate providers are doing to help with the coming changes:
http://www.thawte.com/resources/2048-bit-compliance/

Further Reading on how SSL works: “Secure Sockets Layer” on Search Security

You only need to purchase a certificate if you are running a secure server of some sort.

For those of you who do not have a certificate the above will not apply, but you should know that there is a change coming, and because of this change some of your regular web sites whose URL begins with “https” may disappear for a while until their certificate is upgraded.

A big shout-out to Tom for this blog idea! Got a question or an idea for a topic you would like to see covered in one of my upcoming blog posts? Write to support@skywaywest.com and sound off. I’ll do what I can to address your questions or concerns either personally in a reply email or on the blog. Until next month, take care.

–Wes