Security Advisor

Small RSA Keys Blocked, Will Trouble Follow?

While malware will have to use a new trick to infect systems, Microsoft's solution may hurt those who have dealings overseas.

Microsoft has been talking about Web certificates pretty much nonstop since news broke that the Flame malware got around by fooling Windows machines into thinking that it was a safe, secure and trusted program. 

Every Patch Tuesday for the past few months the company brought up its plans of automatically blocking any RSA keys that are less than 1024 bits in length. But until yesterday, it was only talk.

Now with Security Advisory 2661254, Microsoft has provided a download for enterprises that will block any small certificates from being waved through a system.

But why only make this a download and not an automatic update? Because Microsoft knows that there are those non-Flame, non-malware companies that are still foolishly using short RSA keys. So if your company's got the length, download the update now. If your certificate is lacking a bit, fix that immediately!

While the update isn't currently mandatory, it will be very soon.

Anything that stops malware in its tracks is a good thing. However, security experts are warning about the downside of limiting the certificate length.

Speaking on how this download could theoretically cripple an organization that does a ton of business overseas, Paul Henry said that this security fix may be causing more problems than it solves:

"This could create serious problems with computers using client server communications with these certificates. It may also have USA Export Permit ramifications for US firms that sell encryption products to clients outside of the US. Previously, in order to export a product, you had to use less than 256-bit encryption or apply for an export permit. Rather than going through the paperwork and time involved in getting an export permit, many chose to go with 256-bit encryption."

Henry said that companies who do encrypted products overseas can apply to the U.S. government to obtain longer encryption certificates. The problem, however, is that with anything related to the federal government, who knows how long this will take.

Is your enterprise ready for the change in security certificates? Let us know in the comments below.

About the Author

Chris Paoli is the site producer for and


  • Exchange Server June Cumulative Updates Arrive, but with Red Tape

    Microsoft released its quarterly cumulative updates (CUs) for Exchange Server 2013, 2016 and 2019 products this week, but added an extra step for IT pros to consider before installing them.

  • Moving an Old VM to a New Hyper-V Host

    So you want to know whether a Hyper-V virtual machine built on a legacy host will be supported by a newer server? There's a PowerShell command for that.

  • AI-Driven Solution Tracks Packets Through the Datacenter

    Datacenter solutions vendor Kaloom this week unveiled a new offering the company says will enable the development of "self-driving" datacenter networks.

  • Microsoft Previews Azure Bastion Service for Private VM Access

    Microsoft on Tuesday announced a preview of the Azure Bastion service, which lets a user connect to an Azure virtual machine (VM) using a private Internet connection.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.