The issue was partially addressed in August, with an optional patch in Security Advisory 2661254, following a series of security issues caused by certificate flaws.
Now, Microsoft will make the stricter rules on encryption key length apply across the board next month, with some older certificates no longer showing as being from a trusted site.
“Internet Explorer will show a warning similar to the one you would get for other SSL inconsistencies such as a ‘Certificate not signed by an approved Certificate Authority’,” said Wolfgang Kandek, CTO of security company Qualys.
“There are also other possible impacts in email.”For those who find they are using certificates with RSA key lengths of less than 1024 bits, those certificates will be required to be reissued according to Kandek, the issue is likely to be limited to relatively few certificates, but the impact on those sites will be significant.
The change comes in response to the June Flame malware attack, when fake Microsoft certificates were used to spread the virus.
Certificates are identifiers that show browsers that a website is what it claims to be, and have been seen as a weak link in the security chain, especially if the encryption key for the certificate is less than the 1024-bit standard.
“Search older certificates out”
Microsoft warned that websites should prepare for the update by studying existing certificates to avoid surprises when the October patch clicks into effect and outlaws 512-bit encryption.
“Though many have already moved away from such certificates, customers will want to review their asset inventories in particular, examining those systems and applications that have been tucked away to collect dust and cobwebs because they ‘still work’ and have not had any cause for review for some time,” said Angela Gunn of Microsoft’s Trustworthy Computing programme in a blog post.
“For those who find they are using certificates with RSA key lengths of less than 1024 bits, those certificates will be required to be reissued with at least a 1024-bit key length,” she said. “The most up-to-date security practices recommend 2048 bits or even better.”