Security Advisor

Small RSA Keys Blocked, Will Trouble Follow?

While malware will have to use a new trick to infect systems, Microsoft's solution may hurt those who have dealings overseas.

Microsoft has been talking about Web certificates pretty much nonstop since news broke that the Flame malware got around by fooling Windows machines into thinking that it was a safe, secure and trusted program. 

Every Patch Tuesday for the past few months the company brought up its plans of automatically blocking any RSA keys that are less than 1024 bits in length. But until yesterday, it was only talk.

Now with Security Advisory 2661254, Microsoft has provided a download for enterprises that will block any small certificates from being waved through a system.

But why only make this a download and not an automatic update? Because Microsoft knows that there are those non-Flame, non-malware companies that are still foolishly using short RSA keys. So if your company's got the length, download the update now. If your certificate is lacking a bit, fix that immediately!

While the update isn't currently mandatory, it will be very soon.

Anything that stops malware in its tracks is a good thing. However, security experts are warning about the downside of limiting the certificate length.

Speaking on how this download could theoretically cripple an organization that does a ton of business overseas, Paul Henry said that this security fix may be causing more problems than it solves:

"This could create serious problems with computers using client server communications with these certificates. It may also have USA Export Permit ramifications for US firms that sell encryption products to clients outside of the US. Previously, in order to export a product, you had to use less than 256-bit encryption or apply for an export permit. Rather than going through the paperwork and time involved in getting an export permit, many chose to go with 256-bit encryption."

Henry said that companies who do encrypted products overseas can apply to the U.S. government to obtain longer encryption certificates. The problem, however, is that with anything related to the federal government, who knows how long this will take.

Is your enterprise ready for the change in security certificates? Let us know in the comments below.

About the Author

Chris Paoli is the site producer for and


  • Google IDs on Azure Active Directory B2B Service Now at 'General Availability'

    Microsoft announced on Wednesday that users of the Google identity and access service can use their personal log-in IDs with the Azure Active Directory B2B service to access resources as "guests."

  • Top 4 Overlooked Features of a Data Backup Strategy

    When it comes to implementing an airtight backup-and-recovery plan, these are the four must-have features that many enterprises nevertheless tend to forget.

  • Microsoft Bolsters Kubernetes with Azure Confidential Computing

    Microsoft on Tuesday announced various developments concerning the use of Kubernetes, an open source container orchestration solution fostered by Google.

  • Windows Will Have Support for Encrypted DNS

    Microsoft announced this week that the Windows operating system already has support for an encrypted Domain Name System option that promises to add greater privacy protections for Internet connections.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.