Microsoft send out a warning to administrators that an upcoming Windows security update will block access to RSA digital certificates with a key length of less than 1,024 bits because increased computing power has made it easier to crack or brute-force attack these keys.
The update will be released on October 9, 2012, it will prevent Internet Explorer from accessing websites secured with digital certificates with a key length of under 1,024 bits. Additionally, strong keys will also be required for Windows' certificate authority service, for ActiveX controls, encrypting and signing e-mails in Outlook, etc.
Notably, Internet Explorer won't be able to access any website secured using an RSA digital certificate with a key length of less than 1,024 bits. Likewise, without a strong enough certificate, certificate authority service in Windows won't be able to start, ActiveX controls might be blocked, users might not be able to install applications, and Outlook 2010 won't be able to encrypt or digitally sign emails, or communicate with an Exchange server for SSL/TLS communications. In addition, Microsoft warned that after its security update, Operations Manager will be unable to monitor--or discover new instances of--any HP-UX PA-RISC computers that don't have an RSA digital certificate of least 1,024 bits.
Microsoft's move reflects the relative ease with which digital certificates of less than 1,024 bits can now be cracked--or derived--via brute-force attacks. "The private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks," according to Microsoft.
The software giant urges admins who find they are using certificates with RSA key lengths of less than 1,024 bits to reissue them with at least a 1,024-bit key lengths, and preferably 2,048 bits or even better.
