Microsoft revises its certificate management
In response to the Flame worst-case scenario, Microsoft has now integrated a custom block list feature for its certificate store under Windows. The feature was deployed as part of this month's Patch Tuesday. The Flame worm had spread via Windows Update feature by manipulating the certificates that were intended to protect Windows updates from tampering.
As described in a Microsoft Security Response Center (MSRC) blog post, the latest modification automatically causes compromised certificates to be regarded as untrusted. To achieve this, the certificate store checks a Microsoft-maintained list on a daily basis for certificates that are no longer trustworthy. Certificate Authorities are required to inform the company of any revoked certificates, which will then be added to the list. According to a Windows PKI blog post, this method is considerably faster than the deployment of Certificate Revocation Lists (CRLs).
Microsoft has also announced that RSA keys of less than 1,024 bits in length will no longer be accepted by Windows once the forthcoming software update for August has been installed. This affects the SSL certificates of web sites: browsers will respond with an error message when a connection attempt to an affected site is made. Also, users will no longer be able to install Active X controls and applications that were signed using short keys.