Microsoft to revoke certificates with fewer than 2048 bits

News by Dan Raywood

Certificates with fewer than 2048 bits are to be treated as invalid by Microsoft.

Certificates with fewer than 2048 bits are to be treated as invalid by Microsoft.

According to a security advisory from the company, from next month certificates with less than 2048 bits will be treated as invalid, even if they are currently valid and signed by a trusted certificate authority.

Microsoft Trustworthy Computing spokesperson Yunsun Wee said its experts have recommended that those using RSA keys should choose a key length of at least 2048 bits, and the update will follow these guidelines. Wee said: “We're reminding you now to allow everyone time to make necessary adjustments.”

Wee also said that in the course of normal certificate-related housekeeping, Microsoft spotted a number of digital certificates that did not meet its standard for security practices.

“Though we have no indication that those had been compromised or misused in any fashion, as a precautionary measure we've revoked them. A subset of those was in addition found to have code signing permissions, which has earned them a place in the Untrusted Certificate Store,” Wee said.

Microsoft has also released an advisory to allow system administrators to disable the Windows sidebar and gadgets on supported versions of Windows Vista and Windows 7 with one fix it click.

As Windows 8 will deprecate the sidebar and gadgets, Wee said that some Vista and Windows 7 gadgets do not adhere to secure coding practices and should be regarded as causing risk to the systems on which they're run.

Wee said: “With time running out for the sidebar and gadgets and with developers already moving on, we've chosen to deprecate the Windows gadget gallery effective immediately, and to provide a fix it to help system administrators disable gadgets and the sidebar across their enterprises.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews