kevinsisco61784 at gmail.com
Fri Jun 24 15:46:07 EDT 2016
Authors of ransomware as a service such as encryptor RaaS steal
certificates all the time.
On 6/24/2016 2:30 PM, Ron Garret wrote:
> What matters is not the certificate. The certificate is public. You can’t “steal" a certificate.
> What you *can* steal is the private key associated with a certificate, and the more time goes by the more likely it becomes that someone has done so.
> However, the expiration date is completely arbitrary. There’s nothing magic that happens on the expiration date that makes a cert significantly less secure the day after it expires than it was the day before. The whole idea of an expiration date (rather than an issue date) on a certificate is a sort of a scam by the CAs to coerce people into renewing (and hence paying for) their certificates on a regular schedule. I think some CAs don’t even enforce the use of a new key when a cert is renewed, which defeats the whole purpose.
> But all of this is rather a moot point nowadays. Now that letsencrypt is live, there is no reason to pay for a cert any more.
> On Jun 24, 2016, at 10:37 AM, John Levine <johnl at iecc.com> wrote:
>> In article <576D6D35.3080607 at gmail.com> you write:
>>> Do you want to take chances in a world of stolen certificates?
>> Why is this certificate more likely to be stolen today than it was a
>> week ago? It's the same certificate, it hasn't changed.
>>> On 6/24/2016 11:09 AM, Jason Richards wrote:
>>>>>> I just downloaded the new MBAM installer.
>>>>>> Its certificate expired 6/19/2016.
>>>>>> Should I just ignore that fact?
>>>>> I wouldn't ignore it at all.
>>>> The certificate that signed the code expired? If the certificate was
>>>> valid when the code was signed then there should be no issues. Nothing
>>>> has changed.
>> cryptography mailing list
>> cryptography at randombit.net
> cryptography mailing list
> cryptography at randombit.net
This email has been checked for viruses by Avast antivirus software.
More information about the cryptography