[cryptography] How are expired code-signing certs revoked?

dan at geer.org dan at geer.org
Thu Dec 8 23:16:13 EST 2011

Peter Gutmann writes:
 | This means that once a particular signed binary has been detected
 | as being malware the virus scanner can extract the signing
 | certificate and know that anything else that contains that
 | particular certificate will also be malware, with the certificate
 | providing a convenient fixed signature string for virus scanners
 | to look for.

One would assume that the effort to get such a signing
certificate would persuade the bad team to use that cert
for targeted attacks, not broadcast ones, in which case
you would be damned lucky to find it in a place where you
could then encapsulate it in a signature-based protection


good reading:
Cormac Herley,
The Plight of the Targeted Attacker in a World of Scale

More information about the cryptography mailing list