For a website to have HTTPS it uses a TLS certificate (previously SSL certificate). This certificate allows HTTPS websites to share the public key so anyone can send encrypted data to the website. This makes sure the data sent is protected and can’t be read or modified by someone within the internet, but allows the website to decrypt the data to read it and respond. So it is great at protecting the data sent using (asymmetric) encryption.
This asymmetric Encryption is based on mathematical methods where one way (encrypt) is alot faster than another way (decrypt) without the shortcut. This means if we make the number large enough the ability to decrypt it without the shortcut is beyond the computing power of current systems. An example of this is multiplication vs factorisation. To multiple 2 very large numbers is simple, but to factorise one very large number into 2 large numbers (prime numbers) is extremely hard in comparison. So you can see hopefully the key measure of security is the size of the number. The larger the number the harder it is to factorise.
This is where key size comes in, the key size it the size of the number. So the larger the key size the larger the number and the harder it is to factorise.
Combined with attacks where people capture internet traffic (which might be HTTPS) and store the data for 5 to 10 years, in the hope that in 5 to 10years computers improve enough they can factorise the large number and decrypt the internet traffic and read the internet traffic including usernames and passwords.
There for the key size for the certificate must be large enough to not only protect against attacks but current super computers, but also future super computers in 10years time.
Therefore we recommend increasing the key size (where possible) to the something that expected to be secure for more than 10years, which by our maths is 3072bit RSA or 256bit ECDSA or larger.
If the platform / provider doesn’t support the larger keys, we would suggest creating a support request to see if they can change it and in the meantime uploading a custom certificate.
As part of our Penetration testing this is one of hundreds of things we check, so if you aren’t sure or want to check your website for vulnerabilities feel free to contact us.
