[cryptography] How are expired code-signing certs revoked?

dan at geer.org dan at geer.org
Thu Dec 8 23:16:13 EST 2011


Peter Gutmann writes:
-+-------------------
 | This means that once a particular signed binary has been detected
 | as being malware the virus scanner can extract the signing
 | certificate and know that anything else that contains that
 | particular certificate will also be malware, with the certificate
 | providing a convenient fixed signature string for virus scanners
 | to look for.
 |

One would assume that the effort to get such a signing
certificate would persuade the bad team to use that cert
for targeted attacks, not broadcast ones, in which case
you would be damned lucky to find it in a place where you
could then encapsulate it in a signature-based protection
scheme.

--dan

good reading:
Cormac Herley,
The Plight of the Targeted Attacker in a World of Scale
http://research.microsoft.com/pubs/132068/TargetedAttacker.pdf




More information about the cryptography mailing list