Small RSA Keys Blocked, Will Trouble Follow? -- Redmondmag.com

Small RSA Keys Blocked, Will Trouble Follow?

While malware will have to use a new trick to infect systems, Microsoft's solution may hurt those who have dealings overseas.

By Chris Paoli
08/15/2012

Microsoft has been talking about Web certificates pretty much nonstop since news broke that the Flame malware got around by fooling Windows machines into thinking that it was a safe, secure and trusted program.

Every Patch Tuesday for the past few months the company brought up its plans of automatically blocking any RSA keys that are less than 1024 bits in length. But until yesterday, it was only talk.

Now with Security Advisory 2661254, Microsoft has provided a download for enterprises that will block any small certificates from being waved through a system.

But why only make this a download and not an automatic update? Because Microsoft knows that there are those non-Flame, non-malware companies that are still foolishly using short RSA keys. So if your company's got the length, download the update now. If your certificate is lacking a bit, fix that immediately!

While the update isn't currently mandatory, it will be very soon.

Anything that stops malware in its tracks is a good thing. However, security experts are warning about the downside of limiting the certificate length.

Speaking on how this download could theoretically cripple an organization that does a ton of business overseas, Paul Henry said that this security fix may be causing more problems than it solves:

"This could create serious problems with computers using client server communications with these certificates. It may also have USA Export Permit ramifications for US firms that sell encryption products to clients outside of the US. Previously, in order to export a product, you had to use less than 256-bit encryption or apply for an export permit. Rather than going through the paperwork and time involved in getting an export permit, many chose to go with 256-bit encryption."

Henry said that companies who do encrypted products overseas can apply to the U.S. government to obtain longer encryption certificates. The problem, however, is that with anything related to the federal government, who knows how long this will take.

Is your enterprise ready for the change in security certificates? Let us know in the comments below.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.