MS update coming to block MD5 digital certificates

Summary:On Patch Tuesday, Microsoft will issue an update that removes support for TLS/SSL and other digital certificates that use MD5 hashes.

As part of  a general move towards moving their users forward in the use of cryptography standards , Microsoft will be issuing an update today, as part of the Patch Tuesday updates, which will remove support for digital certificates that use the MD5 hash standard through the Microsoft Root Certificate Program.

The update has been available for download voluntarily, for users to test the effects, since Patch Tuesday of August 2013.

Root certificates are one of the essential trusted elements in a system of digital certificates, such as those in Windows for TLS/SSL and code signing. If one trusts the software and the root certificates, then other certificates which are part of a chain of certificates ultimately signed by the root are demonstrably trustworthy as well. Thus the list of trusted root certificates is largely a list of signing certificates from certificate authorities (CAs).

One of the important technological building blocks of certificates, and of public key encryption generally, is the hash algorithm. The MD5 algorithm was cutting-edge in its day, but for many years it has been weakened to the point that nobody should be using it. Companies like Microsoft and Google have been nudging their users off of MD5 for some time and  Microsoft has even begun the process of moving beyond MD5's successor, SHA-1 .

After applying Tuesday's updates, it is possible, but unlikely, that you will see certificate errors on HTTPS sites in Internet Explorer or Google Chrome (which uses the same Windows Crypto libraries). These errors should be reported to the site administrator.

Last summer Microsoft released a separate update for Windows which enabled this deprecation of old, weak cryptographic standards. This update is a prerequisite for the one to be released Tuesday, but if you have been good about applying past updates you should have the prerequisite installed and be ready.

Topics: Security, Windows

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.