Security Alert

Certificates are used by your browser to establish the identity of the people at the other end of a secure login, for example, your bank. These are encrypted with either MD5 or SHA to ensure they cannot be forged. One of the two ways of signing these (md5) has been broken, meaning that it is now possible to forge certificates which use this method. For this reason, the many companies that still use MD5 are issuing new certificates using the SHA method so their certificates can't be forged.

It is very difficult to exploit this flaw, and the criminal would still need to hijack your DNS server or use some other blended attack, but MD5 has been crumbling for years and should be abandoned.

So, how do you update your certificates? How do you get the new secure ones when they become available?

For some inexplicable reason, beyond my comprehension, Microsoft considers these security fixes as "optional" and not "high-priority". You need to go into Windows update, select Custom.

then select Software, Optional

and then select Certificates. Check back each month as I expect more and more companies will switch.

I strongly recommend using this update method either instead of or in addition to the automagical method Microsoft recommends.

Date: March 2009

This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		Security Alert Certificates are used by your browser to establish the identity of the people at the other end of a secure login, for example, your bank. These are encrypted with either MD5 or SHA to ensure they cannot be forged. One of the two ways of signing these (md5) has been broken, meaning that it is now possible to forge certificates which use this method. For this reason, the many companies that still use MD5 are issuing new certificates using the SHA method so their certificates can't be forged. It is very difficult to exploit this flaw, and the criminal would still need to hijack your DNS server or use some other blended attack, but MD5 has been crumbling for years and should be abandoned. So, how do you update your certificates? How do you get the new secure ones when they become available? For some inexplicable reason, beyond my comprehension, Microsoft considers these security fixes as "optional" and not "high-priority". You need to go into Windows update, select Custom. then select Software, Optional and then select Certificates. Check back each month as I expect more and more companies will switch. I strongly recommend using this update method either instead of or in addition to the automagical method Microsoft recommends. Date: March 2009 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk