OCS banner and logo
Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category

powered by pmc2m


Security Alert

Certificates are used by your browser to establish the identity of the people at the other end of a secure login, for example, your bank. These are encrypted with either MD5 or SHA to ensure they cannot be forged. One of the two ways of signing these (md5) has been broken, meaning that it is now possible to forge certificates which use this method. For this reason, the many companies that still use MD5 are issuing new certificates using the SHA method so their certificates can't be forged.

It is very difficult to exploit this flaw, and the criminal would still need to hijack your DNS server or use some other blended attack, but MD5 has been crumbling for years and should be abandoned.

So, how do you update your certificates? How do you get the new secure ones when they become available?

For some inexplicable reason, beyond my comprehension, Microsoft considers these security fixes as "optional" and not "high-priority". You need to go into Windows update, select Custom.

then select Software, Optional

and then select Certificates. Check back each month as I expect more and more companies will switch.

I strongly recommend using this update method either instead of or in addition to the automagical method Microsoft recommends.

Date: March 2009

Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

  Please direct questions/suggestions about website to the webmaster