scary certificate for www.update.microsoft.com
zenadsl6186 at zen.co.uk
Mon Jun 18 20:16:47 BST 2012
Ben Liddicott wrote:
> RSA is not in suite B either.
A big trail of big suppositions follows. There may be nothing in it.
Suppose GCQH have made a small theoretical improvement in factoring or
breaking RSA, and NSA has built the hardware to do it - maybe enough for
200 1kbit keys per year.
In order to get the money NSA has had to say in confidence that "they
have made a significant advance in codebreaking", which has leaked
somewhat, US politicians being what they are.
As many sites update their keys twice a year, suppose that NSA has the
private keys to 1000 certificates at any time. Say 50 of these are used
for spy stuff, and 500 are the keys are used to - unlock the 50 biggest
That's about 99.5% of all https traffic, I guess.
Now NSA can collect internet traffic because the President lets them,
and GCHQ want access to raw internet traffic - after all, it's no good
having the keys if you can't access the traffic, it's not usually sent
by broadcast radio any more.
What better way to collect traffic than a comms bill like the proposed one?
-- Peter Fairbrother.
> Also Microsoft will give security updates to unlicensed copies of
> windows, the last time I heard, just not functionality updates.
> On 18/06/2012 12:37, Tony Naggs wrote:
>> Neither the blog or the 2 SSL test tools point out that Microsoft are
>> stilling using SHA1 on their new certificate for signing.
>> SHA1 has been known since 2005 to be weak, and US NSA advice via NIST
>> since 2006 has been:
>> "Federal agencies must stop relying on digital signatures that are
>> generated using SHA-1 by the end of 2010."
> (... deletia...)
>> Really everyone should be using SHA2-256 or better on all new
>> certificates by now!
>> Yes, as I'm sure you know the Windows Update tool runs (ActiveX) stuff
>> to help Microsoft to try to limit updates to go only to PCs with
>> correctly licensed Windows.
More information about the ukcrypto