As you know, I rarely blog about Security Advisories or updates but this time, I want to make sure that you saw that: We released the Microsoft Security Advisory (2661254) - Update For Minimum Certificate Key Length to make you aware of the fact that we will invalidate all certificates with RSA keys less than 1024bit. The update is already available on the download center but not yet on Microsoft Update or WSUS.

The reason why we chose to go for an advisory "only" is to give you enough time to test and investigate. Please ensure that there are no certificates (e.g. machine authentication certs) with keys less than 1024 bits. If there are, replace them immediately. Otherwise authentication might fail from October onwards.

I got asked how big the problem is: Honestly, I do not know but what I know is that we have customers who found issues – so go ahead and investigate!

Roger

I am a huge fan of DirectAccess – especially as a user. This means mainly, that I love it as a user as I do not have to care anymore about where I am connected – my notebook immediately connects to our Microsoft Corporation's network. Ages ago, when we ran the pilot I was already able to join and I am using it since then.

However, in the initial days of Windows 8, our internal pilot was limited to our domain at headquarters and I needed to use VPN again L

Since a few days we rolled out DirectAccess for Windows 8 – a really great experience as we now leverage a new functionality of Windows 8 as well: Virtual Smartcards. This means for me as a user, I had to VPN in, visit a website and request a certificate. This certificate request was signed by my "real" smartcard and then the private key is stores in my TPM in my slate.

Now, DA is seamless again and even with strong authentication.

Cool!!

Roger

Yesterday I blogged about the Security Advisory – Update For Minimum Certificate Key Length. I would like to take the opportunity to give some more information on it.

The reaction on the advisory is interesting so far. Some customers expect mainly older applications to run into a problem. Others tell us that they mandated 2k keys since a long time and are therefore safe. Well, I tend to agree and disagree (cool statement J). I guess the huge majority of the keys are not less than 1024bits. This is to be expected and I would be surprised of public CAs would have issued certs recently which cause challenges – but sometimes I get surprised in the oddest ways.

My real worry are systems that connect through and authenticated or encrypted channel to older, mostly embedded systems. Are the keys on these systems long enough?

There is a way to figure this out. If you look into the KB article which comes with the advisory (KB2661254), there is a section called Resolutions and in there it is explained how the updated can be put on a "logging only" mode:

Allow key lengths of less than 1024 bits by using registry settings

Microsoft does not recommend customers use certificates less than 1024 bits long. Customers may however need a temporary workaround while a longer term solution is developed to replace RSA certificates with a key length of less than 1024 bits length. In these cases, Microsoft is providing the customers the ability to change the way the update functions. Customers configuring these settings are accepting the risk that an attacker may be able to break their certificates and use them to spoof content, perform phishing attacks, or perform Man-in-the-Middle attacks.

So, my recommendation today definitely is to deploy the update in the logging-only mode and figure out, whether you have a problem and how big it is – October is coming soon.

Roger

End of July we issued the fourth MSRC progress report showing not only the work we did on the Security Updates but with all the different programs with run out of MSRC as well. I guess this could be interesting for you as well: Microsoft Security Response Center (MSRC) Progress Report

Roger