Getting a handle on security certificates

Susan Bradley

We rely on SSL certificates for safe Web surfing and secure online transactions; but how many of us understand the issues surrounding security certs — or those related error messages?

Here’s what you need to know about SSL certificates — and how update KB 2661254 helps solve certificate problems.

Updating the strength of certificates

Windows update KB 2661254 ensures that our operating systems no longer trust any security certificate of fewer than 1024 bits. I’ve had this update in the Patch Watchchart “Wait” category for several months. It’s now time to install it, and I’ll explain why.

But before I discuss certificates, let’s be clear about a closely related topic that’s easily confused with certificate security — browser encryption strength. When you click Internet Explorer’s Tools icon and then About Internet Explorer, you’ll see that the browser has a cipher strength of 256 bits — significantly fewer than the 1024 bits we now require for SSL certificates. The primary reason browsers use only 256-bit encryption is speed. A 2007 TechNet blog states that 128-bit encryption was sufficient for the data we send and receive over the Net. So 256 bits should be a good balance between speed and security.

An MSDN blog describes how a browser securely communicates with a website. Here’s the simple version: The browser starts by sending a handshake offer to the targeted website. The website sends a handshake back. You can see part of this process in the Figure 1 screen capture of a Wireshark report generated as I signed in to and entered my username and password. (Wireshark [download site] is an app that lets you see networking transmissions at a deep level.)

Wireshark report

Figure 1. Wireshark shows the step-by-step process of establishing a secure Web connection.

The sign-in process might appear to users as a nearly immediate, one-step process, but Wireshark shows the multiple steps needed to complete the transaction. The details of how it works are too long for this story, but a Wikipedia article does a relatively good job of explaining it. Briefly put: Within moments, your computer and a remote webserver agree to use a secure connection, via a handshake.

When a browser makes a secure connection to a webserver, another critical part of the process ensures that the server is authentic. This is accomplished by means of Secure Socket Layer (SSL) certificates (SSL is the component that encrypts transmitted data). But although 256-bit encryption might be fine for passing our credentials (username and password) and our data over the Net, it’s inadequate to protect certificates.

This article is part of our premium content. Join Now.

Already a paid subscriber? Click here to login.

= Paid content

All Windows Secrets articles posted on 2012-11-21:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.