[cryptography] MalwareBytes

Jason Richards jjr2 at gmx.com
Fri Jun 24 22:42:02 EDT 2016


>> What matters is not the certificate.  The certificate is public.
>> You can’t “steal" a certificate.
>>
>> What you *can* steal is the private key associated with a
>> certificate, and the more time goes by the more likely it becomes
>> that someone has done so.
>>
>> However, the expiration date is completely arbitrary.  There’s
>> nothing magic that happens on the expiration date that makes a cert
>> significantly less secure the day after it expires than it was the
>> day before
> 
> In principal, I think it does.
> 
> The CA's responsibility (warranty) ends when the certificate expires.
> Once the certificate is expired it will not be added to a CRL, so it
> could not be revoked. In fact, if it was revoked, then it will be
> removed from the CRL.

Your point has relevance when discussing server certificates. If the
certificate expired yesterday then be cautious, but it's likely that
someone just missed the renewal notice. If it expired three years ago
then be far more cautious as the site itself is more likely to be
unmaintained, unpatched, breached and owned.

But in this case we're discussing a code-signing certificate, and
the code is still as good as it was on the day it was signed by a valid
certificate. Sure, the code may be getting a little old, but that
doesn't necessarily mean that it's no longer good. It's a bit like an
expired government ID with a date or birth on it. Sure, that driver's
license can't be used to prove I should be allowed to drive a car, but
if I was 21 ten years ago when the license was valid then it still
proves I'm of legal age to purchase alcohol now.

J


More information about the cryptography mailing list