3 min read

GlobalSign Egregiously Misuses App-Signing Process

Răzvan STOICA

August 19, 2008

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
GlobalSign Egregiously Misuses App-Signing Process

GlobalSign told The Register today that they have revoked the certificate for a company publishing “rogue” (or fake) antivirus software – in fact, we’ve covered the software on this website on at least one occasion – it’s Antivirus XP we’re talking about, a piece of software that claims to be an antivirus but is nothing more than an extortion racket software tool, demanding money in exchange for nothing at all.

All well and good, you’d say. Well, all is emphatically not well, because in doing so GlobalSign removed a (very simple, very effective) tool from security-minded folks’ hands. It’s not like the certificate was invalid in some way. It was. To appear legit, the publishers of the e-threat had decided to play by the rules and get a valid cert from a high-profile certification authority. The certificate positively identified a certain binary file as being Antivirus XP 2008. Now that means of identification is gone. See the problem here?

The sad truth is the confusion between identity and security is one that GlobalSign and other companies like it worked hard to create. Here’s an endearing quote from the GlobalSign website :
“Running Unsigned Code / Executables can be Dangerous!
End users are encouraged not to run unsigned code / executables therefore downloading / running unsigned applications will generate worrying Unknown Publisher security warnings. Unsigned software can be tampered with (such as the insertion of spyware, malware or harmful code and then redistributed). Once digitally signed using a Code Signing Certificate, customers can be sure of the identity of the software developer and that the software has not been altered since being published by the original vendor. The security warnings change from being worrying to alerting the user the publisher of the digitally signed software is known – adding an essential level of trust to the application installation process.”

 
If anything, the fact that Antivirus XP obtained a valid cert is proof that positively identifying something doesn’t make that thing intrinsincally safer. The fact that an application is signed by Verisign or Microsoft or the Tooth Fairy syndicate is supposed to make you feel safer, but all it amounts to is that Verisign or Microsoft or the syndicate accepted a cheque from someone and used crypto to tie that someone’s identity (however tenuous that concept is) to a certain piece of code.
 
GlobalSign should not have pulled that cert. They should have kept it and advertised the hell out of it as proof the system works and used it to push hard for the deployment of a de-centralized trust infrastructure on top of the identification infrastructure they manage. A system is needed where everyone could find out at a glance that the certificate for Antivirus XP is valid and the software they’re about to install really is Antivirus XP (which they can now) and that everyone who’s someone thinks that Antivirus XP is an e-threat (which they can’t, for now).
 
What’s more,GlobalSign opened a huge can of worms by revoking a valid certificate (valid both process-wise and real-world-wise – its publisher was positively identified for better or worse). Will they do it again? Who knows? What company will “benefit” from this treatment next? If a rogue one was mis-identified as legit (forgetting for a moment it is emphatically NOT the job of GlobalSign to ascertain such things), isn’t it possible that the next time a legit one will be identified as rogue? Is there a process in place to redress errors? How fast is it and how fast can changes be propagated? What are the margins of error?

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read