MS update coming to block MD5 digital certificates

MS update coming to block MD5 digital certificates

Summary: On Patch Tuesday, Microsoft will issue an update that removes support for TLS/SSL and other digital certificates that use MD5 hashes.

TOPICS: Security, Windows

As part of a general move towards moving their users forward in the use of cryptography standards, Microsoft will be issuing an update today, as part of the Patch Tuesday updates, which will remove support for digital certificates that use the MD5 hash standard through the Microsoft Root Certificate Program.

The update has been available for download voluntarily, for users to test the effects, since Patch Tuesday of August 2013.

Root certificates are one of the essential trusted elements in a system of digital certificates, such as those in Windows for TLS/SSL and code signing. If one trusts the software and the root certificates, then other certificates which are part of a chain of certificates ultimately signed by the root are demonstrably trustworthy as well. Thus the list of trusted root certificates is largely a list of signing certificates from certificate authorities (CAs).

One of the important technological building blocks of certificates, and of public key encryption generally, is the hash algorithm. The MD5 algorithm was cutting-edge in its day, but for many years it has been weakened to the point that nobody should be using it. Companies like Microsoft and Google have been nudging their users off of MD5 for some time and Microsoft has even begun the process of moving beyond MD5's successor, SHA-1.

After applying Tuesday's updates, it is possible, but unlikely, that you will see certificate errors on HTTPS sites in Internet Explorer or Google Chrome (which uses the same Windows Crypto libraries). These errors should be reported to the site administrator.

Last summer Microsoft released a separate update for Windows which enabled this deprecation of old, weak cryptographic standards. This update is a prerequisite for the one to be released Tuesday, but if you have been good about applying past updates you should have the prerequisite installed and be ready.

Topics: Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Does this explain why Yahoo sites have been....

    throwing me "certificate error" warnings sporadically the last month or so??? Just sayin.
    • Probably not

      There are lots of reasons why you might get those. Most common is that they have an SSL page with non-SSL elements (like graphics) on it.
      Larry Seltzer
    • groups

      I've been getting that error a lot from groups. Yahoo seems to be trying to make as many things fail as possible lately. I'm not aware of going to any SSL/HTTPS URLs at Yahoo.