Microsoft beefs up certificate security following Flame attacks

In addition, Microsoft is implementing a “defense-in-depth” strategy that changes how the company manages certificates that have RSA keys of fewer than 1024 bits in length.

Beginning next month, certificates using RSA algorithm with key length of fewer than 1024 bits will be treated as invalid even if they are valid and signed by a trusted certificate authority, Microsoft explained in a blog.

Microsoft has also launched an automatic updater for untrusted certificates on Windows Vista and 7, as well as Windows Server 2008 and 2008 R2. The feature provides Windows users with daily automatic updates about untrusted certificates.

Microsoft is starting to take certificate security and management seriously, observed Jeff Hudson, chief executive officer at Venafi, an enterprise key and certificate management provider. “They are tightening up their certificate management practices”, Hudson told Infosecurity.

Venafi recently released a report that found that close to one in five of the digital certificates deployed by Global 2000 companies rely on technology that makes them vulnerability to breaches by malware.

“The Global 2000 has to do the same thing that Microsoft has done. They have to take [certificate management] seriously; they have look around and find out where their certificates are being poorly managed and fix that”, Hudson said.

“The bad guys have figured out that certificates, because they are poorly managed, are prime targets – they get you access, they authenticate you, they allow you to do things like be a man-in-the-middle attack”, Hudson observed.

For the study, Venafi performed network scans on 450 leading companies. The scans found that 17.4% of deployed certificates use the compromised MD5 algorithm. The MD5 certificates were exploited by the developers of the Flame malware to bypass security and gather sensitive information from compromised devices.

“M5 is a big problem. The attackers have utilized the MD5 open door successfully against Microsoft. That is not lost on the hacker community”, Hudson opined.

The Venafi report also found that some organizations have as many as 78% of their internal certificates signed with the MD5 algorithm.

“These companies need to find all the MD5s and get rid of them. That needs to be done quickly. Then, they need to put in good certificate management processes that will make sure that this kind of thing doesn’t happen again”, Hudson concluded.

What’s hot on Infosecurity Magazine?