Security Advisor

Small RSA Keys Blocked, Will Trouble Follow?

While malware will have to use a new trick to infect systems, Microsoft's solution may hurt those who have dealings overseas.

Microsoft has been talking about Web certificates pretty much nonstop since news broke that the Flame malware got around by fooling Windows machines into thinking that it was a safe, secure and trusted program. 

Every Patch Tuesday for the past few months the company brought up its plans of automatically blocking any RSA keys that are less than 1024 bits in length. But until yesterday, it was only talk.

Now with Security Advisory 2661254, Microsoft has provided a download for enterprises that will block any small certificates from being waved through a system.

But why only make this a download and not an automatic update? Because Microsoft knows that there are those non-Flame, non-malware companies that are still foolishly using short RSA keys. So if your company's got the length, download the update now. If your certificate is lacking a bit, fix that immediately!

While the update isn't currently mandatory, it will be very soon.

Anything that stops malware in its tracks is a good thing. However, security experts are warning about the downside of limiting the certificate length.

Speaking on how this download could theoretically cripple an organization that does a ton of business overseas, Paul Henry said that this security fix may be causing more problems than it solves:

"This could create serious problems with computers using client server communications with these certificates. It may also have USA Export Permit ramifications for US firms that sell encryption products to clients outside of the US. Previously, in order to export a product, you had to use less than 256-bit encryption or apply for an export permit. Rather than going through the paperwork and time involved in getting an export permit, many chose to go with 256-bit encryption."

Henry said that companies who do encrypted products overseas can apply to the U.S. government to obtain longer encryption certificates. The problem, however, is that with anything related to the federal government, who knows how long this will take.

Is your enterprise ready for the change in security certificates? Let us know in the comments below.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • SameSite Cookie Changes Rolled Back Until Summer

    The Chromium Project announced on Friday that it's delaying enforcement of SameSite cookie changes, and is temporarily rolling back those changes, because of the COVID-19 turmoil.

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.