[cryptography] How are expired code-signing certs revoked?

Marsh Ray marsh at extendedsubset.com
Wed Dec 7 20:54:34 EST 2011

On 12/07/2011 07:01 PM, lodewijk andré de la porte wrote:
> I figured it'd be effective to create a "security awareness group"
> figuring the most prominent (and only effective) way to show people
> security is a priority is by placing a simple marking, something like
>  "this site isn't safe!"

I thought the international symbol for that was already agreed upon:

On 12/07/2011 07:13 PM, lodewijk andré de la porte wrote:
> I'm afraid signing software is multiple levels of bullocks. Imagine a
>  user just clicking yes when something states "Unsigned software, do
> you really want to install?".

You're just thinking of a few code signing schemes that you have direct 
experience with.

Apple's iPhone app store code signing is far more effective for example.

> Imagine someone working at either a
> software or a signing company. Imagine someone owning a little bitty
> software company that's perfectly legitimate and also uses the key to
> sign some of his maleware.

His own malware? With his own certificate? How dumb can he be?

> Software signing isn't usable for regular end users, experienced
> users already have hashes to establish integrity up to a certain
> level, guru's and security professionals compile from source instead
> of trusting some binary. And yes that does exclude hidden-source
> software, it's the only sensible thing to do if you don't want trust
> but real security!

A scandal broke just the other day when http://download.cnet.com/ was 
found to be trojaning downloaded executables in their custom "download 
manger" wrapper. Just to be helpful, this wrapper would change your home 
page to Microsoft, change your search engine to Bing, and install a 
browser toolbar that did lord knows what other helpful stuff if you were 
dumb enough to click the "Yes please install the helpful thing I 
downloaded" button. After the find their PC filled with crapware, users 
likely attribute it to the poor unsuspecting developer of the legitimate 
application they'd intended to download.

Even the simplest code signing mechanism at least prevent application 
installers from being corrupted by commercial distribution channels like 
that. But only IF enough users were given a security justification for 
insisting on a valid signature on the installers that CNET would 
recognize that that kind of sleazy practice it would harm their brand.

> http://download.cnet.com/8301-2007_4-57338809-12/a-note-from-sean-regarding-the-download.com-installer/

MS Windows 8 is said to be introducing an app store distribution channel.

- Marsh

More information about the cryptography mailing list