Microsoft, over the last few years, has been making multiple announcements related to TLS (Transport Layer Security) updates and changes. Much of it is focused on making Windows a more secure OS.
The most recent changes were related to the deprecation of TLS 1.0 and 1.1 on upcoming Windows which the company announced in August last year, and earlier this year, the end of TLS 1.0, and 1.1 support for Azure Storage Accounts was also declared. Microsoft also issued a reminder later for the former as it is a major shift.
Following those, Microsoft has now announced that it will soon be ending support for RSA keys with lengths shorter than 2048 bits such that TLS server authentications will potentially be much more secure as future Windows versions should block old, outdated and potentially malicious websites and other web-based apps.
This update was long overdue as current modern standards and security-based best practices recommend at least a 2048-bit RSA (Rivest–Shamir–Adleman) or a 256-bit ECDSA (Elliptic Curve Digital Signature Algorithm) cryptographic key.
Compared to a 1024-bit RSA key, which provides 80 bits of security strength, a 2048-bit key provides 112-bit strength, and more in this case means better.
On its website, Microsoft explains the update:
Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer.
This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows.
TLS certificates issued by enterprise or test certification authorities (CA) aren"t impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.
TLS and RSA-related updates aren"t the only security changes Microsoft has had plans for. The company recently announced that it is updating its Windows 8-era Secure Boot keys. And in the recent past, the tech giant suggested more TPM-like security chip might be introduced, perhaps something like Pluton. Meanwhile, the Windows kernel is also getting a Rust-y makeover for better memory security.