Getting a handle on security certificates

Susan Bradley

We rely on SSL certificates for safe Web surfing and secure online transactions; but how many of us understand the issues surrounding security certs — or those related error messages?

Here’s what you need to know about SSL certificates — and how update KB 2661254 helps solve certificate problems.

Updating the strength of certificates

Windows update KB 2661254 ensures that our operating systems no longer trust any security certificate of fewer than 1024 bits. I’ve had this update in the Patch Watch chart “Wait” category for several months. It’s now time to install it, and I’ll explain why.

But before I discuss certificates, let’s be clear about a closely related topic that’s easily confused with certificate security — browser encryption strength. When you click Internet Explorer’s Tools icon and then About Internet Explorer, you’ll see that the browser has a cipher strength of 256 bits — significantly fewer than the 1024 bits we now require for SSL certificates. The primary reason browsers use only 256-bit encryption is speed. A 2007 TechNet blog states that 128-bit encryption was sufficient for the data we send and receive over the Net. So 256 bits should be a good balance between speed and security.

An MSDN blog describes how a browser securely communicates with a website. Here’s the simple version: The browser starts by sending a handshake offer to the targeted website. The website sends a handshake back. You can see part of this process in the Figure 1 screen capture of a Wireshark report generated as I signed in to windowssecrets.com and entered my username and password. (Wireshark [download site] is an app that lets you see networking transmissions at a deep level.)

Wireshark report

Figure 1. Wireshark shows the step-by-step process of establishing a secure Web connection.

The sign-in process might appear to users as a nearly immediate, one-step process, but Wireshark shows the multiple steps needed to complete the transaction. The details of how it works are too long for this story, but a Wikipedia article does a relatively good job of explaining it. Briefly put: Within moments, your computer and a remote webserver agree to use a secure connection, via a handshake.

When a browser makes a secure connection to a webserver, another critical part of the process ensures that the server is authentic. This is accomplished by means of Secure Socket Layer (SSL) certificates (SSL is the component that encrypts transmitted data). But although 256-bit encryption might be fine for passing our credentials (username and password) and our data over the Net, it’s inadequate to protect certificates.

As mentioned above, KB 2661254 establishes a minimum certificate-encryption strength of 1024 bits. Some security researchers argue that even this level isn’t good enough — especially for online commerce. As far back as 2007, Ecole Polytechnique Fédérale de Lausanne cryptology professor Arjen Lenstra stated, according to a Network World story, that it was merely a matter of time before we saw the end of 1024-bit encryption. As computers get faster, it’s easier to crack encryption.

Fast-forward to 2012, and we’re just installing an update that prevents Windows from accepting security certificates of fewer than 1024 bits.

Ultimately, all websites will have to move to 2048-bit encryption. In its Special Publication 800-57 (PDF), Recommendation for Key Management, the U.S. National Institute of Standards and Technology (NIST) advised that 1024-bit encryption keys could keep us secure for only so long. An Entrust document cites that report as the reason Microsoft will remove 1024-bit certificates from its Root Certificate Program by Dec. 31, 2013 — a little over a year hence.

Again, this is all due to better encryption-cracking tools: faster computers and cloud computing that lets groups of computers crunch away at possible encryption keys — the code that actually unlocks encrypted files. For example, cloudcracker.com is a security site that lets professionals test “WPA-protected wireless networks, crack password hashes, or break document encryption.” Its Chapcrack tool (site) captures network transmissions, uploading a file to a website powered by cloud computing. Pay your fee, wait a few hours, and, voilà, you get a cracked WEP or VPN password. Until recently, that level of computational work took days, weeks, or months.

But why stop at 2048-bit encryption? Why not double that? Or triple it? Again, it comes down to processing speed; having more bits of encryption taxes servers and slows down the initial connection process, as noted in a 2010 semicomplete.com study of SSL latency. It’s that delicate balance between security and our expectation of Internet speed.

Bottom line: it’s time to ensure your systems no longer trust any SSL certificate presented that has less than 1024-bit encryption. Install KB 2661254 soon. I’ve had no problems with the update on my systems.

Getting to the bottom of SSL-cert errors

If you’ve spent any time on the Web, you’ve run across a large and often confusing certificate-error message. Often, these warnings state that the site has a problem with its security certificate but never tell you what exactly the problem is.

Take, for example, the “There is a problem with this website’s security certificate” error shown in Figure 2. It recommends only that you close the suspect webpage. Even if you’re sure the website is safe, the warning will cause some level of worry. Has the site been hacked, or is there merely a technical error? Reluctantly, you click the Continue link, as shown in Figure 2.

Problem certificate warning

Figure 2. Certificate-error messages often provide little information, leaving you with an uncomfortable decision.

Often, these error messages come from small-business sites using self-signed certificates (Wikipedia info), for which the site owner signs the issued certificate. (More specifically, a service on their server — the certificate authority — issues these SSL certificates.) Self-signed certificates simply ensure that the browser/webserver connection uses SSL encryption.

For many years, Small Business Server 2003 included self-signed certificates as part of its remote-access technology. However, it has increasingly fallen out of favor for two reasons, one of which is those confusing cert-error messages.

It also became harder and harder to get self-signed certificates installed on computers and phones that needed to connect back to the server. For example, securing e-mail between a phone and server typically requires manually installing the certificate on the phone — or instructing the phone to ignore the self-signed cert error. That’s not an easy task on a Windows-based phone.

Typically, when visiting a self-signed certificate site, you have to click Continue to get to the site. From there, you can click the red Certificate Error box, as shown in Figure 3, to find out why the browser doesn’t like the certificate.

Cert error info

Figure 3. Click the red Certificate Error box to the right of the browser URL bar (IE shown) for more info on the error.

In this case, the error was self-inflicted: I have a printer that has a Web-based console. I use a self-signed certificate provided by the printer manufacturer to protect the site when I sign in with my username and a password. In reality, the site didn’t have an error; when I clicked the view certificates link, the next popup dialog box (see Figure 4) showed that I needed to manually install the self-signed certificate into my browser.

Cert info

Figure 4. The Certificate Information box shows that the certificate is not flawed; it needs to be installed.

Pages with secured and unsecured content

There’s another common certification-error message. Go to a website that includes SSL security (as noted by the https:// in the URL). While on the site, you get this message: “Do you want to view only the webpage content that was delivered securely?” In this case, the site is providing both https (secure) and http (unsecure) information on the same webpage.

Secure-unsecure content warning

Figure 5. Some sites will deliver secure and unsecure content on the same page.

Typically this occurs when a site uses banner ads or external images on an otherwise secured e-commerce page. (It would be best if websites never included unsecured information on a page containing SSL transactions.) Practically speaking, I recommend clicking the No button. The page will probably have a broken image box or two and blank banner ads, but it should otherwise work.

The root-cert conundrum

Root certificates (Wikipedia definition) are key tools for Web security in Windows. Vista or newer versions of Windows get root certificates automatically; Windows XP systems still need manual updates. KB 931125, a package of root certificates for XP systems, adds new certificates and removes outdated ones.

Typically, I’ve recommended not installing the update if your system was running fine. But every now and then, I get it wrong. So please ignore my previous advice and install KB 931125 from its MS Download Center. According to an MS TechNet document, Microsoft’s Root Certificate Program lets trusted Certificate Authorities (CAs) add or remove their certificates as needed.

There have been cases where a member CA has been tricked, scammed, or hacked and has therefore released a fraudulent certificate. So being on Microsoft’s trusted-root listing comes with a high level of responsibility — and we have to trust this security foundation. (The potential flaw in the system is that if you trust the root certificate, you automatically have to trust all certificates covered by the root.)

To see this certificate/root certificate relationship for yourself, go to the DigiCert help page and enter a website address, such as that of Windows Secrets. As shown in Figure 6, because your system trusts the GeoTrust DV SSL CA certificate, it also trusts the SSL provided by windowssecrets.com’s sign-in page. (GeoTrust is a member of the MS Root Certificate Program.) You never needed to install a windowssecrets.com certificate.

caption here

Figure 6. Windows Secrets' site certificate is held within the GeoTrust DV SSL CA certificate.

As mentioned earlier, Vista, Win7, and Win8 get certificate updates automatically, but XP and Windows Server 2003 do not. Consequently, there are instances where an important e-commerce site fails on an XP system, even though the site had a proper SSL certificate — simply because the user had not installed KB 931125.

So once again, install KB 931125 — especially if you stumble on a website that displays errors.

Have you come across SSL certificate errors that leave you scratching your head? Post the error in the Windows Secrets Lounge thread for this article, and we’ll do our best to decipher them.



Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

Windows 8.1: Out of the box

Subscribe and get our monthly bonuses - free!

Get a real feel for Windows 8.1 with a wealth of tips in this step-by-step guide. This month, Windows Secrets subscribers can download the first 2 chapters for free: Using Windows 8.1 and Using Email and the Internet. Get this excerpt and other 5 bonuses if you subscribe now!

= Paid content

All Windows Secrets articles posted on 2012-11-21:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.