So for everyone concerned, the sky is only partially falling today. If you’ve been reading the security news, you’ve probably seen the links to
http://www.win.tue.nl/hashclash/rogue-ca/ and to http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt and to http://www.microsoft.com/technet/security/advisory/961509.mspx and to http://blogs.technet.com/msrc/archive/2008/12/30/information-on-microsoft-security-advisory-961509.aspx and finally to http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx
So what’s the best mitigations? Firstly normal godaddy certs are indeed based on Sha1 and not MD5
Next train folks to stop and bad or broken SSL certs. Yes that means buying third party certs for your SBS boxes and not using self signed.
On a related note one of my pet peeves (and one of Darryl Roberts) is when you install an update to the root certificates on your server and then it throws off a Event 36885 Schannel error in your event logs. The ‘fix’ is to tell you to remove those certificates you don’t need. Okay..but…. which ones? There are 219 of ‘em, which ones do I not need?
Interestingly enough certs number 5 and 6 in that view are based on MD5, and given that I live in Fresno, not France, so me thinks I’ll back those up and export them out since they are based on MD5 anyway.
But if you are seeing the Schannel issue…
Windows Event ID 36885 from Schannel:
Darryl reported that this hotfix (which isn’t just for IAS servers but any server) will allow that repository to increase as it should to hold the proper root certs.
Clients cannot make connections if you require client certificates on a Web site or if you use IAS in Windows Server 2003: