Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft: As of October, 1024-Bit Certs Are the New Minimum

Posted by timothy on from the always-so-very-precise dept.

way2trivial writes with this snippet from Information Week about a warning from Microsoft reminding Windows administrators that an update scheduled for October 9th will require a higher standard for digital certificates. "That warning comes as Microsoft prepares to release an automatic security update for Windows on Oct. 9, 2012, that will make longer key lengths mandatory for all digital certificates that touch Windows systems. ... Internet Explorer won't be able to access any website secured using an RSA digital certificate with a key length of less than 1,024 bits. ActiveX controls might be blocked, users might not be able to install applications, and Outlook 2010 won't be able to encrypt or digitally sign emails, or communicate with an Exchange server for SSL/TLS communications."

9 of 207 comments (clear)

  1. Why 1024? by fsck1nhippies · · Score: 5, Interesting

    System have the ability to go further, why not make 2048 the minimum? Does anyone know why 1024 was selected? I would guess it has to do with some backwards compatibility with something. Some of the issuers are making it next to impossible to go below 2048.

    1. Re:Why 1024? by Penguinisto · · Score: 5, Interesting

      Thinking much the same thing here as well. Even a CA like GoDaddy won't take anything smaller than a 2k cert key.

      Most SSL certs we cook up have a 2048 minimum anyway, and some certs we use have a standard of at least 4096 (I work in the banking/financial industry, so we're used to using the bigger keys).

      I'm thinking that they stuck with 1024 because most IIS 7.x (Win2k8 Server) allows for a minimum 1024 key size when making CSRs, and (maybe? can't remember) the really old crap (IIS5 or 4?) won't interpret anything bigger, which means enterprises with those old installs will scream bloody murder if they have to re-key but can't meet minimum length.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    2. Re:Why 1024? by SCPRedMage · · Score: 5, Interesting

      Probably because they didn't want to break a greater number of certs.

      --
      My sig can beat up your sig.
    3. Re:Why 1024? by smash · · Score: 5, Insightful

      Because NSA / CIA haven't cracked 2048 bit yet, silly.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  2. Re:open source by bloodhawk · · Score: 5, Insightful

    just because it is closed source doesn't mean people can't read the source. thousands of universities and government agencies and even other organisations have access to the source code for windows for development purposes, security evaluation purposes and research purposes.

  3. This was announced several months ago by Meshach · · Score: 5, Informative

    TechRepublic noted this a while ago and provided detailed instructions on how to work-around the issue.

    --
    "Maybe this world is another planet's hell"
    Aldous Huxley
  4. Close Goate.cx instead by Anonymous Coward · · Score: 5, Funny

    Wouldn't be much of an OS if it didn't have a reach-around.

  5. Re:open source by Anonymous Coward · · Score: 5, Interesting

    Not true when kernel.org itself gets hacked.

    On the contrary. Which distros actually compiled and released a version of the kernel that was compiled from code downloaded during the window this attack was in effect? If you're running Debian then your kernel is anywhere from just now old to 2 years on the stable version. And if you're doing the right thing and using Ubuntu LTS releases instead of the beta interim stuff then it's the same deal. With Windows, there's only 2 releases to the mainstream. The server and the desktop versions. So whatever kernel MS builds, that's the one everybody uses. With Linux even with kernel.org getting hacked, you have a fighting chance but with Windows, you're done.

  6. Key length is the least of concerns for SSL by js33 · · Score: 5, Interesting

    There is an entire collection of root certs in your browser that are all trusted unconditionally. Hundreds of them, in fact. These root certs have signed thousands (who knows how many, really?) intermediate certs. All of these intermediate certs are trusted unconditionally to authenticate any SSL server whatsoever. It's pointless to have a key longer than the shortest intermediate cert key length in use anywhere. When you use SSL, you are trusting thousands of unknown parties with absolute cert-signing authority. SSL certificates are known to have been used for explicit man-in-the-middle purposes: Trustwave sold root certificate for surveillance. Sure they revoked that one key because of the bad publicity, but it's common industry practice. How is SSL hopelessly broken? Let us count the ways.