scary certificate for www.update.microsoft.com
Ben Liddicott
ben at liddicott.com
Mon Jun 18 18:37:21 BST 2012
RSA is not in suite B either.
Also Microsoft will give security updates to unlicensed copies of
windows, the last time I heard, just not functionality updates.
Cheers,
Ben
On 18/06/2012 12:37, Tony Naggs wrote:
> Neither the blog or the 2 SSL test tools point out that Microsoft are
> stilling using SHA1 on their new certificate for signing.
>
> SHA1 has been known since 2005 to be weak, and US NSA advice via NIST
> since 2006 has been:
> "Federal agencies must stop relying on digital signatures that are
> generated using SHA-1 by the end of 2010."
>
> Ref:http://csrc.nist.gov/groups/ST/hash/statement.html
(... deletia...)
> Really everyone should be using SHA2-256 or better on all new
> certificates by now!
> Yes, as I'm sure you know the Windows Update tool runs (ActiveX) stuff
> to help Microsoft to try to limit updates to go only to PCs with
> correctly licensed Windows.
>
>
>
More information about the ukcrypto
mailing list