[cryptography] MalwareBytes

Ron Garret ron at flownet.com
Fri Jun 24 14:30:40 EDT 2016


What matters is not the certificate.  The certificate is public.  You can’t “steal" a certificate.

What you *can* steal is the private key associated with a certificate, and the more time goes by the more likely it becomes that someone has done so.

However, the expiration date is completely arbitrary.  There’s nothing magic that happens on the expiration date that makes a cert significantly less secure the day after it expires than it was the day before.  The whole idea of an expiration date (rather than an issue date) on a certificate is a sort of a scam by the CAs to coerce people into renewing (and hence paying for) their certificates on a regular schedule.  I think some CAs don’t even enforce the use of a new key when a cert is renewed, which defeats the whole purpose.

But all of this is rather a moot point nowadays.  Now that letsencrypt is live, there is no reason to pay for a cert any more.

rg

On Jun 24, 2016, at 10:37 AM, John Levine <johnl at iecc.com> wrote:

> In article <576D6D35.3080607 at gmail.com> you write:
>> Do you want to take chances in a world of stolen certificates?
> 
> Why is this certificate more likely to be stolen today than it was a
> week ago?  It's the same certificate, it hasn't changed.
> 
> R's,
> John
> 
> 
>> On 6/24/2016 11:09 AM, Jason Richards wrote:
>>>>> I just downloaded the new MBAM installer.
>>>>> 
>>>>> Its certificate expired 6/19/2016.
>>>>> 
>>>>> Should I just ignore that fact?
>>>> I wouldn't ignore it at all.
>>> The certificate that signed the code expired? If the certificate was
>>> valid when the code was signed then there should be no issues. Nothing
>>> has changed.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography



More information about the cryptography mailing list