Public Key Lengths

Context: The Wormly SSL Tester reports a servers' public key length.

To establish a secure connection with your web server, your server must present its’ public key to the client. This key is used by the client during the initial handshake to encrypt a message that only your server - with access to the corresponding private key - can decrypt.

Your private / public keypair can be generated to a range of different lengths. All else being equal, the longer the key length, the more time required to break the encryption using a brute force attack. Therefore the longer the key length, the more secure it is.

Currently, key lengths of less than 1024 bits are considered to be insecure. However, as computing power increases, the minimum key length required to be “secure” will increase.

As of 2011, most Certificate Authorities are insisting on 2048 bit key lengths to ensure adequate security into the future.

But there is a security vs performance tradeoff that we need to consider: Longer key lengths require more computation to encrypt and decrypt messages. Accordingly, if you use an unnecessarily long key-pair to secure your web servers, clients will be slower to establish the SSL / TLS session with your server as they engage in this more complex computation..

To help ensure an optimal browsing experience for your users, avoid generating public / private key-pairs which are longer than necessary; 1024 or 2048 bits is our recommendation.