Obviously these Certificates should be Certified.
I won't be happy until, "It's Certificates all the way down."
There's a flourishing trade in illicit code-signing certificates, and even extended validation certificates can be purchased for a few thousand dollars. That's the conclusion of a study by American and Czech researchers, with input from Symantec Labs (the company's technical director Christopher Gates is a co-author). The …
"I won't be happy until, 'It's Certificates all the way down.'"
I won't be happy until *THE* *TOLLBOOTH* on the intarwebs (and for for appLICATION developers, particularly open source and independent developers) has been ERADICATED, because it OBVIOUSLY doesn't do a DAMN bit of good to have the *DAMNED* *CERTS*! Except, for those skimming off of the top and keeping "the little guy" in his place...
And that goes TRIPLE for KERNEL DRIVERS.
/me points out that in the Linux world, YOU! DO! NOT! HAVE! THIS! CRAP!!!
The article is quite light on detail.
Was someone selling cert with CNs of high profile companies? If so were they providing private keys to go with those certs?
Otherwise I have a www.google.com cert for sale for very little money, it comes with free bridge.
Or were the sellers set up as a Certificate Authority and just issuing certs that were valid.
If that's the case the process to become a CA may have some holes in it.
Apps are signed by a developer's own code signing cert, which is in turn signed by an issuer.
So this proves that:
1. The developer has joined the code signing programme to get their cert signed by the issuer. They might have paid a few hundred dollars for this, but otherwise it's a very low bar.
2. The app was signed by a developer who has established themselves a reputation for quality software - that is, this code was signed by the same cert as a previous legit application was signed by.
It seems that there is a market in boosting malware in area 2, by effectively doing the same tricks as people do to get their Google search rankings increased.
Why should anyone trust any CA?
They are set up to make money selling certs. You have no proof they are getting the people they are selling them to. There are dozens of CAs listed in your PC as trusted - you have no proof you can trust any of them.
Why should anyone trust any CA?
They are set up to make money selling certs.
Yes, that's the reason.
A CA depends on the money it makes from selling certificates. No CA with any business sense will deliberately issue certificates that cannot be trusted, because that would damage the CA's own reputation, and lead to users not trusting the certificates it issues ... which will lead to customers going elsewhere for their certificates, and the CA losing money.
That said, it's important to understand what a certificate means. All a certificate tells you is that the CA has reason to believe that the private key associated with the public key in the certificate belongs to the purported owner (the "subject") of that certificate. For a cheap/free EMail certificate the CA may do no more than check that the address to which the certificate is to be sent is the same as the address in the subject ID while for an expensive ECommerce certificate the CA will carry out offline checks on the identity of the certificate requester, and will insure against any fraud arising from misuse of that certificate (which is why such certificates are expensive).
All a certificate really tells you is the identity of the owner of the certificate (and the associated key); you are left to make your own decisions about trust.
So now we have the situation that a small, new developer with no "reputation" is presented by Microsoft's software as being less trustworthy than malware which has primed it with some benign installations.
Does no-one at Microsoft ever "wargame" their security systems before sending them out? Or is it theatre?
I find myself wondering whether there are many people with this filter enabled. I somehow doubt that malware authors who haven't bothered with this are seeing it as a big problem. I, for one, disabled it on my personal windows machine the time, and I'm assuming for Microsoft's sake that it was a bug, that they tried to flag firefox as unsafe. And I checked the hash; my copy was not invalid. I have to imagine that a lot of users just click through any warnings they get. Otherwise, how is the entire malware community making it through on certs sold every few days?
Biting the hand that feeds IT © 1998–2018