From: "Michael Adams" <[email protected]> | On Saturday 13 November 2010 00:19, David H. Lipman wrote: >> From: "Michael Adams" <[email protected]>
>> < snip > >> | NOTE: During the install process Windows may spout some bull about the >> | program being untrusted. This is because companies have to pay Microsoft >> | to be a "Trusted" developer of programs. This payment does not really >> | ensure that a trusted companies programs are any safer than others. >> Not True! >> The software is not trusted because the software has no digital signature >> (read digital certificate) or it is digititally signed but there is a break >> in the certificate chain such as the end user not having the root >> certificate in their certificate store. >> It has nothing to do with "paying Microsoft." | Thanks for this information. I thought a Verisign certificate was a website | SSL authentication certificate only. | Seems i now have more research to do. | What is the specific name of this type of install certification? | - Code Signing Certificate | Will it work for offline installation? | - Sometimes I think (more research required) | What do they cost a company? | - Around $500 per year. | http://www.verisign.com/code-signing/microsoft-authenticode/index.html?sl= | productdetails | Are these certificates per company, per product or per install number? | - Per company | Are they proven? Have there been any problems? | - Yes, Yes http://www.amug.org/~glguerin/opinion/revocation.html | It seems my research has turned up that Verisign is one of the third party | companies to the "Microsoft Authenticode" process[1], among others[2]. The | software issuing company being the first party and the user being the second. | Microsoft is the fourth party in the "Microsoft Authenticode" process, as the | tool (signtool.exe) for creating the signatures themselves is part of the | Microsoft Software Development Kit (SDK) and the OS is Microsofts. There is | another party, Dun and Bradstreet who audit applying commercial software | companies[3]. | So my original statement still has some measure of truth to it as | regards "Microsoft Authenticode" certificates. I have no idea if | OpenOfice.org is certificated under a "Microsoft Authenticode" certificate or | under one of the other certificate authentication schemes. | [1] http://msdn.microsoft.com/en-us/library/ms537361.aspx | http://www.verisign.com/code-signing/microsoft-authenticode/index.html?sl= | productdetails | [2] http://www.verisign.com/code-signing/index.html | [3] http://msdn.microsoft.com/en-us/library/ms537361.aspx You will find the Certificate Store in Internet Explorer. IE --> tools --> Internet options --> cont --> certificates In this case certificates are granted per customer and the customer may "sign" their products with it. I know of no limitations as to the number of products, only the certificate's given life spam. There have been cases where malicious actors have obtained digital certificates and have signed their malware. Usually this is a case where the malicious actor either uses a compromised Credit Card account to purchase the certificate, forges the certificate or steals them. Once identified the CA may revoke the certifcate via the CRL URL. http://sunbeltblog.blogspot.com/2007/09/for-shame-thawte-trusts-gromozon.html http://blog.webroot.com/2009/12/15/zero-day-malware-drops-payloads-signed-with-a-forged-microsoft-certificate/ http://mtc.sri.com/Conficker/ "Both Conficker A and B clients incorporate a binary validation mechanism to ensure that a downloaded binary has been signed by the Conficker authors. Figure 2 illustrates the download validation procedure used to verify the authenticity of binaries pulled from Internet rendezvous points. " Worst of all the SCADA worm Stuxnet had digitally signed binaries http://en.wikipedia.org/wiki/Stuxnet "Stuxnet is unusually large at half a megabyte in size,[22] and written in different programming languages (including C and C++) which is also irregular for malware.[1][5] It is digitally signed with two authentic certificates which were stolen[22] from two certification authorities (JMicron and Realtek) which helped it remain undetected for a relatively long period of time.[" -- Dave Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
