If you have any SSL certificates with less than 2048-bit keys, now is the time to upgrade. Why? Because the Certification Authority/Browser (CA/B) Forum and the National Institute of Standards and Technology have determined that any key length below 2048-bit is no longer strong enough. As computer power increases, anything less than 2048-bit certificates are at risk of being compromised by hackers with readily-available processing capabilities. The cybersecurity industry is moving to adoption of SSL certificates employing at least 2048-bit encryption to help preserve internet security.
As a result, these bodies have mandated that all CAs stop issuing 1024-bit certificates and revoke any certificates with key lengths below 2048-bit after Dec. 31, 2013. While that deadline is still months away, Symantec will revoke some certificates with encryption below 2048-bit as early as Oct. 1, 2013 to help its customers avoid potential disruptions to their sites during holiday internal site lockdown periods.
Does this impact you and your SSL certificates? It could, in any of the following ways:
- Customers with SSL certificates below 2048-bit that expire before Dec. 31, 2013 must renew those certificates with 2048-bit certificate signing requests (CSRs). Certificates that expire before the end of the year will not be automatically revoked on Oct. 1.
- Customers with certificates below 2048-bit that expire after Dec. 31, 2013 must revoke and replace those certificates with 2048-bit CSRs , or the certificate will be automatically revoked as soon as Oct. 1.
- Customers with SSL certificates containing 2048-bit keys (or higher) will not be impacted.
To test your certificate to see if you need to upgrade, check your certificate’s encryption strength.
If you do not act before your certificate is revoked, it could lead to any number of less-than-ideal situations: browsers blocking visitors from your website, customers receiving security warnings before visiting, transactions left unprotected and susceptible to fraud, and Trust Seals disappearing from your website. All of these deter site visitors from completing transactions and trusting your site. Potential non-financial ramifications also include damage to your brand or customer attrition and decreased lifetime value because customers feel they didn’t receive sufficient notifications – all of which could lead to loss of business to a competitor.
Learn how to replace your certificate by reading our earlier post: What you need to know to migrate from 1024-bit to 2048-bit encryption.
Threats to data security are not only growing but evolving. Therefore it’s imperative that we evolve and upgrade our security features as well to stay ahead of these threats, meet new mandates and maintain the security and trust that people expect. As the trusted and established leader among CAs, Symantec emphatically believes that advancing and adhering to CA/B Forum and other security best practices is in the best interest of our customers, our customers’ customers, and trust on the internet.
Additional Resources
FAQ: Ending support for 1024-bit certificates
Support: Get technical support for 1024-bit transition