Don't have a ton of experience with SSL and only recently started messing with TLS on my Apache server but question: Google makes mention of a 2048 bit certificate but most of the certificates I see are 128/256. Is this number referring to something else other than the strength of the encryption?
Messages like "your connection is encrypted with 256-bit encryption" don't tell you anything about the size of the RSA keys in use.
During the TLS handshake, your browser and the server do public-key crypto to authenticate each other and share private information without a previously-known shared secret. Because public-key crypto is really, really slow, they then share a small secret (say, 128 or 256 bits), and use that secret as the key for a traditional symmetric encryption algorithm like AES. That's the number you're seeing.
thank you both, that really makes sense. I thought it was a little peculiar that Google decided to mention the whole 2048 bit thing, I couldn't have been the only one that was thrown off by that a bit.
2048 is the RSA key size. 128 or 256 is the AES key size (or more generally the key size for the symmetric cipher). Nowadays the latter doesn't depend on the cert, but in the 90s it artificially did thanks to U.S. export policy. CAs still advertise as if we were stuck in the 90s.
