Microsoft: As of October, 1024-Bit Certs Are the New Minimum

way2trivial writes with this snippet from Information Week about a warning from Microsoft reminding Windows administrators that an update scheduled for October 9th will require a higher standard for digital certificates. "That warning comes as Microsoft prepares to release an automatic security update for Windows on Oct. 9, 2012, that will make longer key lengths mandatory for all digital certificates that touch Windows systems. ... Internet Explorer won't be able to access any website secured using an RSA digital certificate with a key length of less than 1,024 bits. ActiveX controls might be blocked, users might not be able to install applications, and Outlook 2010 won't be able to encrypt or digitally sign emails, or communicate with an Exchange server for SSL/TLS communications."

Re:open source

[bloodhawk]

just because it is closed source doesn't mean people can't read the source. thousands of universities and government agencies and even other organisations have access to the source code for windows for development purposes, security evaluation purposes and research purposes.

Re:Why 1024?

[Jane Q. Public]

"Does anyone know why 1024 was selected?"

But one has to wonder why Microsoft is doing the selection.

I'm not Microsoft-bashing here, but if I had an old cert on a site somewhere, there is no way in hell I would update it just to be compatible with Internet Explorer. Let Explorer users do without. I don't care in the slightest.

Re:open source

[LordLimecat]

I don't really understand how anyone can care whether a closed source operating system is secure.

This is so much garbage.

Opensource systems have their share of holes, and the idea that there is a gigantic pool of people qualified to catch backdoors in something as relatively simple as a web browser-- let alone an OS-- is absurd. Just because you can look at the source doesnt mean you can do a remotely competent job of auditing it; and the idea that a single person could somehow audit hundreds of thousands of lines of code for security "on a whim" is even more absurd.

There are a lot of benefits to open source, but sometimes its advocates really stretch the imaginations with some of the claims and accusations they level against proprietary software.

it's sufficiently open that blatant backdoors are not going to be inserted.

So I suppose the whole potential IPSEC backdoor in freeBSD [marc.info] thing was just my imagination, then?

Youre talking nonsense. Consider that OpenSSL is widely considered a horrendously complex pile of spaghetti code, which I believe has had its share of security issues, and yet we still use it. Is it because we're lazy? No, its because sometimes some of this security stuff is phenomenally complicated, and it would take a horrendous number of man-hours from incredibly talented people to refactor or replace it.

One of the benefits of paid software is that, if theyre competent, they can devote a lot of time to it because they are paid. Im gonna go out on a limb here and say that one of the biggest helpers to good code in a lot of OSS projects are the paid volunteers, not the mere fact that its "open" as if that dash of pixie dust makes a project magically better.

Re:Why 1024?

[smash]

Because NSA / CIA haven't cracked 2048 bit yet, silly.

Re:Why 1024?

[betterunixthanunix]

So you are going to tell one of your biggest customers, "We told you over a year ago that you had to replace those hardware modules, so why did you not do it?"

It is easy for Microsoft to phase out 768 bit keys; hardly anyone uses them these days. 1024 bit keys are a completely different story; they are widespread, popular, and it is going to be expensive to replace them all. For over a decade, 1024 bits has been the default, and during that time a lot of systems were deployed, including a lot of hardware modules. Some of those systems have the key-length set in stone, and some of those systems are hard to replace (imagine taking a mission critical system down to upgrade your key length -- try selling that one to management).

1024 bit is deprecated, but it is not going to be gone any time soon. There is just too much friction, and too little understanding of why key lengths should be increased.

Re:Why 1024?

[Jane Q. Public]

"If you want to cut 40% of the internet users off from your content, that's your prerogative."

Yes, indeed it is. But it could be 30%, or 20%, or whatever, if it were some browser other than Explorer. The only reason I mentioned Explorer at all is because it is Microsoft doing this.

But I don't agree with companies using coercive tactics to push a standard THEY decided THEY like. I don't particularly care what standard that is.

Re:Why 1024?

[Firethorn]

From reading on the issue, the problem isn't fresh keys, it's older programs and hardware that can't handle anything greater than 1024. Not all of them have the option to handle 2048+. So we have to wait until those are replaced before breaking support for them.

Re:Why 1024?

[aaarrrgggh]

Bigger keys in banking? Why do we still have the 14 bit pin codes then...

Re:Why 1024?

[Anonymous Coward]

For the same reason you don't carry a vault in your pocket. 14 bits is enough to protect the $10^3 moving out of your ATM account, but something better is called for when processing $10^9 interbank transactions.