Security Advisor
Small RSA Keys Blocked, Will Trouble Follow?
While malware will have to use a new trick to infect systems, Microsoft's solution may hurt those who have dealings overseas.
Microsoft has been talking about Web certificates pretty much nonstop since news broke that the Flame malware got around by fooling Windows machines into thinking that it was a safe, secure and trusted program.Â
Every Patch Tuesday for the past few months the company brought up its plans of automatically blocking any RSA keys that are less than 1024 bits in length. But until yesterday, it was only talk.
Now with Security Advisory 2661254, Microsoft has provided a download for enterprises that will block any small certificates from being waved through a system.
But why only make this a download and not an automatic update? Because Microsoft knows that there are those non-Flame, non-malware companies that are still foolishly using short RSA keys. So if your company's got the length, download the update now. If your certificate is lacking a bit, fix that immediately!
While the update isn't currently mandatory, it will be very soon.
Anything that stops malware in its tracks is a good thing. However, security experts are warning about the downside of limiting the certificate length.
Speaking on how this download could theoretically cripple an organization that does a ton of business overseas, Paul Henry said that this security fix may be causing more problems than it solves:
"This could create serious problems with computers using client server communications with these certificates. It may also have USA Export Permit ramifications for US firms that sell encryption products to clients outside of the US. Previously, in order to export a product, you had to use less than 256-bit encryption or apply for an export permit. Rather than going through the paperwork and time involved in getting an export permit, many chose to go with 256-bit encryption."
Henry said that companies who do encrypted products overseas can apply to the U.S. government to obtain longer encryption certificates. The problem, however, is that with anything related to the federal government, who knows how long this will take.
Is your enterprise ready for the change in security certificates? Let us know in the comments below.