MS update coming to block MD5 digital certificates

On Patch Tuesday, Microsoft will issue an update that removes support for TLS/SSL and other digital certificates that use MD5 hashes.

As part of  a general move towards moving their users forward in the use of cryptography standards , Microsoft will be issuing an update today, as part of the Patch Tuesday updates, which will remove support for digital certificates that use the MD5 hash standard through the Microsoft Root Certificate Program.

The update has been available for download voluntarily, for users to test the effects, since Patch Tuesday of August 2013.

Root certificates are one of the essential trusted elements in a system of digital certificates, such as those in Windows for TLS/SSL and code signing. If one trusts the software and the root certificates, then other certificates which are part of a chain of certificates ultimately signed by the root are demonstrably trustworthy as well. Thus the list of trusted root certificates is largely a list of signing certificates from certificate authorities (CAs).

One of the important technological building blocks of certificates, and of public key encryption generally, is the hash algorithm. The MD5 algorithm was cutting-edge in its day, but for many years it has been weakened to the point that nobody should be using it. Companies like Microsoft and Google have been nudging their users off of MD5 for some time and  Microsoft has even begun the process of moving beyond MD5's successor, SHA-1 .

After applying Tuesday's updates, it is possible, but unlikely, that you will see certificate errors on HTTPS sites in Internet Explorer or Google Chrome (which uses the same Windows Crypto libraries). These errors should be reported to the site administrator.

Last summer Microsoft released a separate update for Windows which enabled this deprecation of old, weak cryptographic standards. This update is a prerequisite for the one to be released Tuesday, but if you have been good about applying past updates you should have the prerequisite installed and be ready.

Show Comments