Can we just chuck them out the door?

On December 30, 2008, in Security, by

So in reading this blog post before this one one got the impression that all MD5 based certificates are bad and should be chucked out the window.

Cool we can do that, open up that MMC snap in and TAKE THAT you potentially rogue certs!

1. Add the Certificates snap-in to the Microsoft Management Console.

a. Click the Start button, click Run, type mmc, and click OK.
b. Click the File menu, and select Add\Remove Snap-in.
c. Click the Add button, then select the Certificates snap-in and click Add
d. Select Computer Account and click Next
e. Click Finish.
f. Click Close.
g. Click OK.

2. Expand Certificates (Local Computer).
3. Expand Trusted Root Certification Authorities.
4. Click on Certificates.
5. Backup and then delete trusted root certificates that you are not using in your environment.

So we can use this process to also look at EVERY root cert in our trusted store and chuck out the door any cert that is based on MD5 right?

But hang on, not so fast.  Some of those certificates are Microsoft ones and in fact per Trusted root certificates that are required by Windows Server 2008, by Windows Vista, by Windows Server 2003, by Windows XP, and by Windows 2000:;EN-US;293781 there’s a couple of key certificates that one shouldn’t export and delete even though they are MD5 based:

That one in fact, happens to be a MD5 based cert.

But what does that mean?

For this particular certificate it means that any new certificates signed by Microsoft with a MD5 hash would be suspect, but they don’t sign today’s certificates with MD5 anymore.

It means that the attack is still very much in the theoretical not the actual sky is falling realm.  It still means that we do need to train people to not blindly click on certificate errors.  And if you don’t understand the full impact, ask smarter people that you, like I did, to explain it in better details.



Comments are closed.