Microsoft will release an automatic update for Windows on October 9, 2012 that is making a minimum certificate key length of 1024 bits mandatory for digital certificates. Information about the update were first published on August 14 in Security Advisory 2661254 and a related Microsoft Knowledge Base article. The update is available for all supported client and server-based versions of the Windows operating system. Once applied it will block cryptographic keys that are less than 1024 bits long which can have a number of consequences for services and users.
Windows operating system users for instance may notice that they can't digitally sign or encrypt emails in Outlook anymore as this is automatically blocked if an RSA certificate with less than 1024 bits is used. Internet Explorer users may notice error messages when they try to access websites that use SSL certificates with keys that are less than 1024 bits. The consequence is that Internet Explorer won't allow access to the site.
A Microsoft blog post highlights additional issues that customers may encounter after applying the update:
Services that use certificates with a key length of less than 1024 bits need to re-issue the certificate with at least a 1024 bit key length. Microsoft notes that this is the absolute minimum, and that companies should consider selecting a secure key length of 2048 or better.
Devices running Windows 8 or Windows Server 2012 are not affected by the update as they already include the functionality that Microsoft will introduce on October 9 in the other Windows versions. (via Information Week, thanks Ilev for the tip)
AdvertisementPlease click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.
I imagine that among those not updating automatically, the temptation of avoiding this update will at least carry a dilemma.
Here I’ll be following the developments until October release, but if issues are not clearly reported as minimal I won’t take the risk of having connecting applications unusable.
“The consequence is that Internet Explorer won’t allow access to the site.”
This is in no way a bad thing. Using IE for any purpose other than Windows Updates and downloading a better browser is like having unprotected sex with every person in Los Angeles (but less fun).