SANS ISC: Microsoft security advisories: RDP and MD5 deprecation in Microsoft root certificates

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Microsoft also released a couple of security advisories today.

Remote Desktop Protocol

SA 2861855 notifies of improvements in the RDP protocol to force users to authenticate themselves before they can get a logon screen. (Network Level Authentication (NLA))

Microsoft root certificates MD5 deprecation

SA 2862973 and the updated SA 2854544 describe efforts to phase out the use of the old MD5 hash algorithm in Microsoft root certificates. 

It amazes me how they still use such an ancient hash algorithm as MD5. I've been involved -now years ago- in a mandatory migration of SHA-1 to SHA-256 for use in (high end) certificates. The migration was mandatory from regulatory and legal perspective - ETSI TS 101 456.  I've had to write justifications on why we needed a few more months of use of SHA-1 than the deadline that was imposed on us and detail the risk mitigation we had in place in order to justify that.
I wonder how one could justify the use of MD5 till today even if one is not bound by legislation and regulation.

--
Swa Frantzen