back to article Suspicious cert-sellers give badware a good name for just a few thousand bucks

There's a flourishing trade in illicit code-signing certificates, and even extended validation certificates can be purchased for a few thousand dollars. That's the conclusion of a study by American and Czech researchers, with input from Symantec Labs (the company's technical director Christopher Gates is a co-author). The …

  1. JeffyPoooh
    Pint

    Obviously...

    Obviously these Certificates should be Certified.

    I won't be happy until, "It's Certificates all the way down."

  2. bombastic bob Silver badge
    Mushroom

    "I won't be happy until, 'It's Certificates all the way down.'"

    I won't be happy until *THE* *TOLLBOOTH* on the intarwebs (and for for appLICATION developers, particularly open source and independent developers) has been ERADICATED, because it OBVIOUSLY doesn't do a DAMN bit of good to have the *DAMNED* *CERTS*! Except, for those skimming off of the top and keeping "the little guy" in his place...

    And that goes TRIPLE for KERNEL DRIVERS.

    /me points out that in the Linux world, YOU! DO! NOT! HAVE! THIS! CRAP!!!

  3. Kabukiwookie

    Fairly light on detail

    The article is quite light on detail.

    Was someone selling cert with CNs of high profile companies? If so were they providing private keys to go with those certs?

    Otherwise I have a www.google.com cert for sale for very little money, it comes with free bridge.

    Or were the sellers set up as a Certificate Authority and just issuing certs that were valid.

    If that's the case the process to become a CA may have some holes in it.

    1. bombastic bob Silver badge
      Unhappy

      Re: Fairly light on detail

      as far as I can tell, these are app-signing certs, not SSL. So "signed" apps are supposedly "safe". Apparently NOT.

      1. Anonymous Coward
        Anonymous Coward

        Re: Fairly light on detail

        Apps are signed by a developer's own code signing cert, which is in turn signed by an issuer.

        So this proves that:

        1. The developer has joined the code signing programme to get their cert signed by the issuer. They might have paid a few hundred dollars for this, but otherwise it's a very low bar.

        2. The app was signed by a developer who has established themselves a reputation for quality software - that is, this code was signed by the same cert as a previous legit application was signed by.

        It seems that there is a market in boosting malware in area 2, by effectively doing the same tricks as people do to get their Google search rankings increased.

  4. Anonymous Coward
    Anonymous Coward

    Certificates are an illusion of trust and security

    Why should anyone trust any CA?

    They are set up to make money selling certs. You have no proof they are getting the people they are selling them to. There are dozens of CAs listed in your PC as trusted - you have no proof you can trust any of them.

    1. dajames

      Re: Certificates are an illusion of trust and security

      Why should anyone trust any CA?

      They are set up to make money selling certs.

      Yes, that's the reason.

      A CA depends on the money it makes from selling certificates. No CA with any business sense will deliberately issue certificates that cannot be trusted, because that would damage the CA's own reputation, and lead to users not trusting the certificates it issues ... which will lead to customers going elsewhere for their certificates, and the CA losing money.

      That said, it's important to understand what a certificate means. All a certificate tells you is that the CA has reason to believe that the private key associated with the public key in the certificate belongs to the purported owner (the "subject") of that certificate. For a cheap/free EMail certificate the CA may do no more than check that the address to which the certificate is to be sent is the same as the address in the subject ID while for an expensive ECommerce certificate the CA will carry out offline checks on the identity of the certificate requester, and will insure against any fraud arising from misuse of that certificate (which is why such certificates are expensive).

      All a certificate really tells you is the identity of the owner of the certificate (and the associated key); you are left to make your own decisions about trust.

  5. coconuthead

    Microsoft need to disable the "reputation" part of it

    So now we have the situation that a small, new developer with no "reputation" is presented by Microsoft's software as being less trustworthy than malware which has primed it with some benign installations.

    Does no-one at Microsoft ever "wargame" their security systems before sending them out? Or is it theatre?

    1. Pascal Monett Silver badge
      Coat

      Re: Or is it theatre?

      You might have hit upon something there . . .

  6. Amos1

    A local pen test company registered an LLC...

    (Limited Liability Corporation) in their home state and named it "Trusted Application, LLC"

    All of their signed malware showed up with a vaild cert starting with "Trusted" and that is as far as anybody read.

  7. Mongo 1

    No Hard Feelings

    Is that the same Symantec who Google kicked out of the CA trade?

    https://www.theregister.co.uk/2018/02/07/beware_the_coming_chrome_certificate_apocalypse/

    1. Anonymous Coward
      Anonymous Coward

      Re: No Hard Feelings

      "Is that the same Symantec who..." actually released NAV07 (and NAV08) into the wild, thereby wasting millions of life-hours of their customers' time, dealing with this unreliable crapware?

      There's a special seat waiting for them 'downstairs'.

  8. doublelayer Silver badge

    and I'm sure people have this filter turned on

    I find myself wondering whether there are many people with this filter enabled. I somehow doubt that malware authors who haven't bothered with this are seeing it as a big problem. I, for one, disabled it on my personal windows machine the time, and I'm assuming for Microsoft's sake that it was a bug, that they tried to flag firefox as unsafe. And I checked the hash; my copy was not invalid. I have to imagine that a lot of users just click through any warnings they get. Otherwise, how is the entire malware community making it through on certs sold every few days?

  9. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like