scary certificate for www.update.microsoft.com
Tony Naggs
tony.naggs at googlemail.com
Mon Jun 18 12:37:52 BST 2012
On 18 June 2012 07:44, Roland Perry <lists at internetpolicyagency.com> wrote:
> And here's a blog fresh off the press:
>
> http://unmitigatedrisk.com/?p=116
>
> But I have one issue with the author. He writes:
>
> I think it’s probably legitimate to use another browser to
> download patches.
>
Neither the blog or the 2 SSL test tools point out that Microsoft are
stilling using SHA1 on their new certificate for signing.
SHA1 has been known since 2005 to be weak, and US NSA advice via NIST since
2006 has been:
"Federal agencies must stop relying on digital signatures that are
generated using SHA-1 by the end of 2010."
Ref:http://csrc.nist.gov/groups/ST/hash/statement.html
Really everyone should be using SHA2-256 or better on all new certificates
by now!
> However:
>
> 1) Microsoft has long said that you can only use their own browser to
> download updates (or a browser that claims to be theirs).
>
> 2) Their update site no longer downloads patches. Yes, that's right. All
> it has is a message saying "please use your Windows Control Panel"
> [instead].
>
Yes, as I'm sure you know the Windows Update tool runs (ActiveX) stuff to
help Microsoft to try to limit updates to go only to PCs with correctly
licensed Windows.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20120618/b3092544/attachment.html>
More information about the ukcrypto
mailing list