back to article Windows code-signing tweaks sure to irritate software developers

Changes that mean signing certificates for Windows can only be sold in hardware form – or from an as-yet undefined cloud-based "service” – from the start of February are likely to have a big effect on software development. US trade body the Certificate Authority Security Council decided in December that "best practice" for …

  1. Dr. Mouse

    "It's interesting that one-man-and-a-dog shops won't be especially affected by the procedural changes, but will complain about the approximate doubling of certificate prices. Meanwhile, large ISVs with automated build-and-test systems won't especially worry about an extra few hundred pounds, but may have to revise their processes a lot."

    So, basically, it's going to hit everyone in exactly the way which will hurt them the most. Nice move, MS!

    1. Halfmad

      Why bash MS? Surely your ire should be directed at the Certificate Authority Security Council ?

      1. phuzz Silver badge
        Gimp

        Of course it's Microsoft's fault, just as if they hadn't done this it would instead be "lol microsoft so insecure".

  2. Peter G Green

    So we're back to hardware dongles... It's like the 1980's all over again :-)

    1. tr1ck5t3r

      And the best bit, MS have introduced their own disruptive technology that will be the demise of MS.

      How stupid can you get price gouging your sales & engineering proxy staff when Western economies are already flatlining?

      China's just announced tightening capital control's are going to trigger the mother of all financial crashes.

  3. Kraggy
    FAIL

    Since when did Microsoft ever follow "best practices" except when it suited their agenda?

    1. Richard Plinston

      "best practices"

      When a consultant has told a client of mine that some way is "best practices" it has always been that they have not actually evaluated the real needs and just want to do what they have done elsewhere and it wasn't a complete disaster (ie the consultant made a profit).

      In one case the client was a jobbing shop using CAM where the machines were paired with design stations. I installed hubs for each pair and set fixed IPs so that as long as there was power the workshop could keep working. A consultant recommended using DHCP as "best practice" even though that could mean the workshop would be inoperable if the power failed and then returned but the servers were still down (which actually did happen, though only once).

  4. Steve Davies 3 Silver badge

    How long before...?

    Developers say, 'can't be bovvered with Windows any more' and stick a finger (or two) up in the general direction of Redmond?

    Next it will be that W10-2018 edition will only let apps be installed via their App store and devs are expected to pay lots of £££ to get their app into the store. Oh, and MS will take no responsibility if apps loaded this way contain Malware etc.

    MS obviously needs the money.

    1. Charles 9

      Re: How long before...?

      Given how irksome things are right now, why can't developers be bothered with doing it ALREADY?

    2. Anonymous Coward
      Devil

      "will only let apps be installed via their App store and devs are expected to pay lots of £££"

      That model is working very well on other devices, and some people even defend it strongly here, so why MS shouldn't adopt it too? <G>

      1. streaky

        Re: "will only let apps be installed via their App store and devs are expected to pay lots of £££"

        some people even defend it strongly here

        Rule 1

        Many things that have worked for other companies that people have thought Microsoft should have copied have turned out to be bad for Microsoft. Hell - that's how windows 8 happened. Doesn't fit microsoft's business model or what made them a very large company in the first place.

        1. Anonymous Coward
          Anonymous Coward

          Re: "will only let apps be installed via their App store and devs are expected to pay lots of £££"

          As an ISV, I don't really like the walled store model - and strongly believe it is anti-competitive, regardless if it is Apple, Google or Microsoft. The "services" offered by the store are good for single developers or very small companies, but useless and extremely expensive when you already have the infrastructure yourself, and your applications aren't sold for 1.99. That's why, for example, Adobe deliver its "apps" as free add-ons to software you directly buy from Creative Cloud. Why share the pie with Google or Apple?

          But put yourself in the expensive comfy leather chair of Nadella: you see Google and Facebook making tons of money gathering and re-selling user data and ads. and Google and Apple making tons of money through their app stores - while PC sales and thereby Windows licenses shrinks, and you lost most of the battles in the server space.

          The temptation to aim for the low hanging fruit and copy their business model may be very strong - especially when you are clueless and have no other ideas (but destroying any others' ones), and those business model were not frowned upon but by a minority.

          Will it work for MS? I don't know and I hope it won't. But the risk to see it enforced because it worked so well for others exists. Once again, people in exchange for some easiness of use, and some more "security" (we see how it works well, especially on Android), will lose freedom...

          1. Richard Plinston

            Re: "will only let apps be installed via their App store and devs are expected to pay lots of £££"

            > As an ISV, I don't really like the walled store model - and strongly believe it is anti-competitive, regardless if it is Apple, Google or Microsoft.

            I am not sure why you continue to include Google in that group. Is it just dogma because you want them to be seen to be as bad as Microsoft?

            For Android there are dozens of alternate app stores that compete with Google's Play Store, and you can find them by Googling, or even Binging if you prefer.

            https://code.tutsplus.com/articles/10-alternative-android-app-stores--cms-20999

            > but useless and extremely expensive when you already have the infrastructure yourself,

            There is nothing stopping you from having your own Android app store, the software for this can be downloaded and used for free.

            1. Charles 9

              Re: "will only let apps be installed via their App store and devs are expected to pay lots of £££"

              "For Android there are dozens of alternate app stores that compete with Google's Play Store, and you can find them by Googling, or even Binging if you prefer."

              The trouble being only Google's App Store is trusted by default on Android, meaning the only way to accept installs from the likes of F-Droid is to either root your phone (which can break things) or allow untrusted sources. If Android REALLY were open, we'd have the option of ADDING store certificates so that other app stores can be accepted as trusted. But that isn't even an option: not even under an expert setting.

              1. Richard Plinston

                Re: "will only let apps be installed via their App store and devs are expected to pay lots of £££"

                > meaning the only way to accept installs from the likes of F-Droid is to either root your phone (which can break things) or allow untrusted sources.

                So, your criticism is that one must do something really bad and difficult that should only be done by experts and nerds, thus _proving_ that Google is evil and uncompetitive, *OR* tick the check box provided.

                > If Android REALLY were open, we'd have the option of ADDING store certificates so that other app stores can be accepted as trusted.

                It only takes clicking a single checkbox if you want to trust the store. How would Google, or other certificate issuer, know if the store was to be trusted?

                In fact, if you buy an Amazon device, then it does trust the Amazon app store. If you buy a Nokia/Microsoft X (Android) phone then it does trust the Microsoft X-app store. If you buy a Samsung then their store is trusted. Similarly with the many Chinese makers who use app stores, and other services, in China.

                Would someone issuing a certificate implying trust be liable if there was malware in the alternate store?

                The Untrusted Sources checkbox is no more nor less that what Windows has with UAC. Perhaps Microsoft should be adding certificates to Windows so that users can randomly download software and be assured that those sites can be trusted without an annoying dialog box (or turning UAC off). Perhaps you should be using UAC and lack of certification of download sites as yet further examples of Microsoft's anti-competitive behaviour.

                The point is that Google cannot be accused of being anti-competitive. This is because is does nothing to prevent other app stores being set up, allows competitors (eg Microsoft) to put their apps in their Play Store, and allows directly competing products.

                If you want to 'prove' anti-competitive behaviour by Google then please do a comparison chart of what Google is doing compared to Microsoft and Apple, and other smartphone systems.

    3. Roland6 Silver badge

      Re: How long before...?

      re: Next it will be that W10-2018 edition will only let apps be installed via their App store and devs are expected to pay lots of £££ to get their app into the store.

      Whilst researching something else I came across this article:

      https://storageservers.wordpress.com/2015/04/18/forget-using-free-ms-office-on-microsofts-windows-10-operating-system/

      Whilst I can find no other site carrying this story and note the dates seem to be out, the general intent, namely MS only permitting users to install the latest edition of MS Office and definitely not Open Office, doesn't sound too far-fetched.

      In this respect it is notable that MS took down their application compatibility checker in late 2015; probably because the update model for W10 would make it highly visible that an application compatible with W10 build 123, is not compatible with W10 build 124...

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        "Whilst researching something else I came across this article"

        And did you see it happening? While it's quite clear MS likes the store model a lot, that article looks really silly. The calling pirated copies "free ms office" is really bullshit..

        About Office support in Windows 10:

        https://support.office.com/en-us/article/Which-versions-of-Office-work-with-Windows-10-0fc85c97-da69-466e-b2b4-54f7d7275705

        And people are using LibreOffice on it without issues, AFAIK. Don't believe everything you read on the Internet... from clueless sources.

        Then, what Satan Nadella is planning for the future, we don't really know...

      3. Doctor Syntax Silver badge

        Re: How long before...?

        "Whilst researching something else I came across this article:

        https://storageservers.wordpress.com/2015/04/18/forget-using-free-ms-office-on-microsofts-windows-10-operating-system/"

        Hmmm. It also seems mentions "the free upgrade to Windows 10" as if it's a good thing. I'd be suspicious of the whole article.

        1. Roland6 Silver badge

          Re: How long before...? @LDS & Doctor Syntax

          Yes, I was suspicious of the article, because as I intimated we are in 2017 and have the benefit of hindsight (augmented by Google), I was a little surprised the article wasn't dated 1-April-2015...

          I posted it as it seemed an appropriate comment on the gloom of Steve Davies 3's comment (plus I was sure El Reg readers would enjoy a laugh). Namely, at the time (April 2015) it would have been believable by many, however, with hindsight we can see it was simply FUD.

          However, LDS, as you correctly point out "what Satan Nadella is planning for the future, we don't really know..."

      4. TotallyInfo

        Re: How long before...?

        That article is nearly 2 years old. All it says really is that the free upgrade for W10 finishes when MS says it does (which actually isn't quite true) and that they are going to crack down on pirate versions of Office.

        The article's comment about Open/Libre Office is utter rubbish. If for no other reason that MS are very heavily scrutinised in public sector due to their prominence. Any attempt by them to try and ban or just restrict the use of any rival, let alone public domain rivals would mean disaster for their public sector sales.

        In any case, MS really don't care about open source "rivals" that much, those tools will never be able to catch up with MS Office investment unless a large number of big organisations decide to invest heavily. While those tools are fine for some use, they are very unlikely to ever present real competition to MS Office.

    4. Doctor Syntax Silver badge

      Re: How long before...?

      You can buy the dongles on eBay?

      1. bombastic bob Silver badge

        Re: How long before...?

        "You can buy the dongles on eBay?"

        or, worse, CLONES of dongles at rock-bottom prices

      2. patrickstar

        Re: How long before...?

        You can buy HSMs from a lot of vendors - I am sure you can find them on eBay as well. Getting one would not help you one bit in signing something illegitimately. Exactly like how having a harddrive doesn't mean you can sign software as other people today just because they store their private keys on harddrives.

  5. alain williams Silver badge

    and what will that hardware contain ?

    but a bit of software. So: how long before someone reverse engineers it or pulls one to bits and puts it under a microscope to extract the keys ?

    1. Roland6 Silver badge

      Re: and what will that hardware contain ?

      Be my guest:

      http://www.pcworld.com/article/2846653/storage-for-spies-how-the-fips-standard-makes-data-extremely-hard-to-steal.html

    2. Frank Bitterlich

      Re: and what will that hardware contain ?

      It's supposed to be a FIPS-level HSM (Hardware Security Module.) May be possible to break these, but probably a lot of effort (and you have to steal one, too, without the owner noticing.)

      1. Doctor Syntax Silver badge

        Re: and what will that hardware contain ?

        "It's supposed to be a FIPS-level HSM"

        Wasn't it FIPS that was recommending an NSA-sponsored broken by design encryption algorithm?

        1. Charles 9

          Re: and what will that hardware contain ?

          For PUBLIC consumption. Never assume they follow their own recommendations internally.

          1. Doctor Syntax Silver badge

            Re: and what will that hardware contain ?

            "For PUBLIC consumption."

            And these gadgets are being offered for public consumption - or at least that portion of the public that develops S/W for Windows.

  6. Frank Bitterlich
    WTF?

    CA Security Council...

    ... has certainly lost contact with reality. From their site:

    "Stronger protection for private keys: The best practice will be to use a FIPS 140-2 Level 2 HSM or equivalent. Studies show that code signing attacks are split evenly between issuing to bad publishers and issuing to good publishers that unknowingly allow their keys to be compromised. [...] Therefore, companies must either store keys in hardware they keep on premise hardware, or in a new secure cloud-based code signing cloud-based service."

    Aside from the obvious proofreading fail, it says you have to use either a HSM or "a new secure cloud-based code-signing service." Oh, OK then, that probably means that storing the keys in the cloud and let a cloud service sign your code, instead of your local machine, makes it more secure. Figures.

    I wonder what "a new, secure [...] service" means, though. Are they planning to offer one themselves? Or does it mean that OS makers (MS, Apple) may offer that service, as long as it is "new" (and, of course, "secure")?

    1. Ken Hagan Gold badge

      Re: CA Security Council...

      It was the "Therefore, " that puzzled me. The kind of company that unknowingly allows its keys to be compromised is the kind of company that will just stick this dongle in their signing server and give all their devs login rights.

      1. Anonymous Coward
        Anonymous Coward

        Re: CA Security Council...

        I think the thing is that they don't want signing keys exposed. They want them black-boxed, and given they're insisting on FIPS-compliant modules (which are very tamper-resistant, EM-blocking including x-rays, and must include suicide circuits), they seem to be serious about the philosophy that the best way to protect the key is to make sure no one knows what it is.

    2. SoftWiz

      Re: CA Security Council...

      Well, MS for one already has this service for quite a while in their Azure offering.

      But I'm sure Amazon and others will have these too.

      They're verified and certified by external independent companies and really following all security-related best-practices.

      Why are they proposing this? well, a lot of malware and what have you now can be unsigned, or signed with a certificate you got from who knows where, without the need to identify yourself.

      Now, in order to obtain such a code-signing certificate/service, you'll be obliged to identify yourself.

      For using the service in Azure, you'll need to go though a MS partner, for obtaining the 'dongle', which shouldn't be from MS by the way, but any code-signing certificate from any trusted issuer can be used, like GlobalSign or whatever!

      This already is done for signing certificates used for signing CRITICAL documents, and for signing PDF's with the Adobe AATL certificate, for long, having HW dongles was the only way.

      Again, because you needed to identify yourself and physically obtain the dongle from the issuer at their premises.

      So, if they deemed it necessary for signing documents, shouldn't it be wise to use it for signing software, which might have access to all personal data of a user, all bank accounts, too?

      And indeed, then they can start blocking unsigned software, or at least indicate that that software is not signed with a trusted certificate, so it's the end-users responsability.

      This is probably the only way to get rid of malicious software, distributed as safe to install sw, and without any means of identifying who was the creator/distributor of this sw.

      1. Anonymous Coward
        Anonymous Coward

        Re: CA Security Council...

        "Now, in order to obtain such a code-signing certificate/service, you'll be obliged to identify yourself."

        Or just STEAL one like Realtek's key. Recall the malware that got through because it was signed with Realtek's key, which happens to be one you CAN'T easily revoke because of all the sound chip drivers signed by the same key?

  7. Zippy's Sausage Factory
    Facepalm

    Is it me or are MS doing everything in their power to make Windows die? Seriously, they seem to be trying to annoy developers as much as possible, competing directly with their business partners, making Windows 10 annoy its own users...

    I mean I'm not one for conspiracy theories, but I heard a bunch of pigeons the other day whispering "coup, coup"*....

    * Old Bill Hicks joke, not one of mine. Sadly.

  8. WibbleMe

    Why does the world need this product?

    Seriously for day to day task's Ubuntu Desktop is "good enough" for most people for email and document editing along with being a core development platform for developers due to its ease.

    1. Ken Hagan Gold badge

      Re: Why does the world need this product?

      "this product" ??

      The article is talking about code signing. Last I heard, Ubuntu Desktop is not a code signing product. Also, last I heard, Linux distributions in general solve the code signing problem by having each distribution bake its own keys into the distro. This isn't a technique that scales well to several million ISVs, though obviously it works just fine if you can persuade everyone to share their source code so that it can be served up by the One True Repo of each particular distro.

      1. WibbleMe

        Re: Why does the world need this product?

        You missing the point, the customer wants to simply use something that does email or a business APP like a Word processor, they do not car about signing or the OS, they want something easy to use, reliable and does the job if supplying one type of OS is means jumping through lots hoops is not cost effective for the supplier ie IT company then changes will be pushed through or the company dies.

        Just because something is well used once does not mean it can not be replaced.

        Example

        Amazon AWS in the cloud is the big buy because of choice, ease of use and cost.

        Google Android or iphone OS is used on mobile because of ease of use.

        I do not care about signing I want to make a profit, the customer does not care about signing they want to make a profit.

        The reason you do not care about signing is that you probably do not see the bill, but whoever does will ask questions, why what if and how.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why does the world need this product?

          "I do not care about signing I want to make a profit, the customer does not care about signing they want to make a profit."

          Then they'll want to care about signing because it helps to make sure the app they're using is genuine and not some trojan designed to steal their secrets.

  9. Anonymous Coward
    Anonymous Coward

    H/W vs S/W vs cloud

    Changes that mean signing certificates for Windows can only be sold in hardware form

    I can see the sense in that, something physical is usually more secure than something ephemeral like software...

    or from an as-yet undefined cloud-based "service”

    which feels to me like it almost has vulnerability built in from the get-go.

    So...with one approach that's more secure, and one that could be a bit s**t, I suppose that on average we're about where we were to begin with.

    1. Anonymous Coward
      Anonymous Coward

      Re: H/W vs S/W vs cloud

      > which feels to me like it almost has vulnerability built in from the get-go.

      Not intrinsically: a cloud service can be built to be much more secure than most people can build their own.

      The weakness will be in how you authenticate to the cloud service, to get it to sign something. And as long as that has some sensible approach (e.g. U2F token) then it should be pretty good.

      Basically it means you push the cheap U2F token to the end user, and the expensive HSM module into a centrally managed service.

      1. patrickstar

        Re: H/W vs S/W vs cloud

        Doing this in the clown can actually be secure. Kind of, atleast. The trick is to have the HSM that keeps the keys also authenticate the user. Presumably with some sort of OTP/token scheme - presenting one OTP to the HSM means you get it to sign one hash for you.

        1. Colin Critch
          Happy

          Re: H/W vs S/W vs cloud

          I think the clown would object!

      2. doke

        Re: H/W vs S/W vs cloud

        "a cloud service can be built to be much more secure than most people can build their own."

        "can be built", "has been built", and "has been maintained" are all very different. I've seen several cloud services that were designed with good intentions, built with the best safeguards available, but then turned over to morons to operate and maintain. After a couple years, they're worse than useless.

      3. Doctor Syntax Silver badge

        Re: H/W vs S/W vs cloud

        "Not intrinsically: a cloud service can be built to be much more secure than most people can build their own."

        That may be true from a vendor's point of view. From the user's point of view the vendor has to be added to the risks to be considered. However trustworthy the vendor might be in the first place ownership, management and staffing can change and, depending on data sovereignty, the cloud could be suborned by TPTB along with a gag order.

        It's somebody else's computer. You don't know what's happening there.

        1. Anonymous Coward
          Anonymous Coward

          Re: H/W vs S/W vs cloud

          "It's somebody else's computer. You don't know what's happening there."

          You didn't construct the chips in your own machine. You don't know what's happening there, either. If you're that paranoid, you're better off abandoning everything electric and living in the mountains.

  10. Anonymous Coward
    Anonymous Coward

    Where can the details be found on the MS Site?

    I just tried searching on the MSDN site and didn't find anything about a change to code signing, can someone point me in the right direction.

    Tks

  11. Ken Moorhouse Silver badge

    Hardware Dongles

    Might hit corporates big-time - having locked down pc's so that USB slots are disabled they are now going to have to allow a dongle to be plugged in.

    1. Electron Shepherd

      Re: Hardware Dongles

      But you only get one dongle, surely? In that case, it needs to be permanently put into the build server, assuming you have only one. Multiple build servers might mean multiple dongles, unless you now have a single "signing server" that just does the signing.

      Life may get interesting if the machine that does the building and signing is a VM. Getting a VM to access a physical USB slot directly can be a bit tricky at the best of times, and it somewhat messes up the ability to migrate the machine to another host.

      1. patrickstar

        Re: Hardware Dongles

        If you are a large vendor you presumably already sign your code (and anything else that needs signing) on a dedicated, non-connected, computer. So if you're doing it right to begin with, this isn't exactly a dramatic change. If you're doing it wrong, requiring a HSM will atleast force you to do it slightly less wrong.

        1. Electron Shepherd

          Re: Hardware Dongles

          a dedicated, non-connected, computer

          The machine doing the signing has to have internet connectivity, because it needs to get to the CA's timestamp server as part of the signing process. If you don't do that, the signature can't be verified after the expiration date of the certificate.

          1. patrickstar

            Re: Hardware Dongles

            No, you simply need to do the timestamping on a different computer than the signing. (signtool timestamp is the command if using the standard MS tools)

            At this point the binary is already signed so the computer used for timestamping isn't critical for maintaining the integrity.

      2. Adam 52 Silver badge

        Re: Hardware Dongles

        "Life may get interesting if the machine that does the building and signing is a VM"

        Or on Azure?

  12. Anonymous Coward
    Megaphone

    Change in mindset is needed IMO

    What is a certificate? In the end it's nothing more but a public key which got signed by a allegedly trusted party, the Certificate Authority. But what is stopping a software vendor from being his own CA? OpenSSL has been with us for a long time now and I can tell from personal experience that it's perfectly capable of setting up code signing.

    This is a snippet from openssl.cnf which I use for that:

    [ policy_CodeSigning ]

    countryName = match

    stateOrProvinceName = supplied

    localityName = supplied

    organizationName = supplied

    organizationalUnitName = optional

    commonName = supplied

    emailAddress = optional

    I've been using my own CA for years now in both a hobby based environment but also a commercial one. Back in the days when this was still a thing we simply instructed our customers to install our CA certificate and then not to trust any of our code which wasn't signed by us.

    I mean, what's so weird about this mindset? They trust our code to be run on their machines in the first place, so why wouldn't they trust us to sign our own code as a sign of approval for what we gave out?

    As an extra bonus: if we were to screw up then its obvious where the blame lies. We wrote it, we signed it so obviously we mucked up.

    Why would you even bother paying up tons of cash for nothing else but a little convenience? The only advantage over using your own certificate is that your customers don't have to do anything in order for their system to accept your code. That is... If you're lucky and they kept their certificate store up to date.

    People need a change in mindset in my opinion. Website "security" (read: encryption) has already been brought back to some sanity where there are plenty of free and cheap CA's which can provide you with a working certificate, now it's time for round two I think.

    But seriously, some people need an attitude adjustment I think. Just because a "well known" party certifies a certificate (read: signs a public key) doesn't imply that it's also all perfectly safe.

    1. Electron Shepherd

      Re: Change in mindset is needed IMO

      If everyone signs code with a self-generated certificate, there's no point in doing it.

      One of the reasons behind code signing is that it prevents impersonation. I can write an installer that claims to be the latest Java update, but since it isn't signed by Oracle, it will look suspicious. The assumption here is that the CA won't issue me with a code signing cert for Oracle, since I can't prove that I represent Oracle Corporation, Inc.

      As you say "They trust our code to be run on their machines in the first place, so why wouldn't they trust us to sign our own code as a sign of approval for what we gave out?". Code signing tells you that the program you are running really is from the people you think it's from. A program signed with a publisher-generated certificate doesn't give you that guarantee.

      It's a chain of trust - you trust that the CA has verified that the publisher is who they say they are, and you trust the publisher, so therefore you can trust the signed software which claims to be from the publisher.

      1. Anonymous Coward
        Anonymous Coward

        Re: Change in mindset is needed IMO

        So what if someone (say a state) produces a completely bogus chain of trust and then publishes a bunch of updates to the system while posing as the company, spreading the bogus-signed stuff everywhere and then say hacking the original company to say their chain of trust got broken and had to be refreshed? The thing about chains of trust is that they have to be anchored somewhere, and that starting point can still be betrayed.

        1. Electron Shepherd

          Re: Change in mindset is needed IMO

          "The thing about chains of trust is that they have to be anchored somewhere, and that starting point can still be betrayed."

          That's true, but it's a bit like the famous quote about democracy - it's the worst solution, apart from all the others that have been tried.

          1. Charles 9

            Re: Change in mindset is needed IMO

            But that presents a counter. What if the best option is still insufficient?

        2. Adam 1

          Re: Change in mindset is needed IMO

          > So what if someone (say a state) produces a completely bogus chain of trust and then publishes a bunch of updates to the system while posing as the company, spreading the bogus-signed stuff everywhere and then say hacking the original company to say their chain of trust got broken and had to be refreshed?

          Here are some random URIs

          https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates

          https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

      2. Richard Plinston

        Re: Change in mindset is needed IMO

        > It's a chain of trust - you trust that the CA has verified that the publisher is who they say they are,

        You are quite correct that, for large scale distribution to unknown users, you need to centralise that trust back to a CA that is trusted by the receiver.

        However, for limited distribution to known users (eg customers or clients), you can establish your own chain of trust directly. If arbitrary unknowns stumble upon the site then we don't care that they don't trust us, and that we don't trust them, and in fact prefer that.

    2. dajames

      Re: Change in mindset is needed IMO

      ...what is stopping a software vendor from being his own CA?

      Nothing stops anyone from setting up a CA and signing any certificate they like. You can do it, I can do it.

      The problem is that your OS comes preloaded with a list of root signing certificates for CAs that the OS vendor trusts, and we implicitly trust those CA certificates and all the other certificates issued using those keys. Unless you can get your your CA certificate onto that trusted list, or persuade your users to add it, there is no chain of trust and the keys you certify will not be recognized.

      Of course, this prompts the question: Are we right to trust the CA root keys are installed on our systems? That's a tricky one ...

      1. TotallyInfo

        Re: Change in mindset is needed IMO

        Self-signed cert chains can indeed be a LOT MORE secure than publically signed ones. But it all depends on the process. Done wrong, they are worthless, done well they are very strong. Of course, you are also taking on another issue which is issuing and managing the trust chain and that can get very complex very quickly.

        But it does annoy me greatly when people and organisations assume that self-signed certs are "insecure", this is not a foregone conclusion at all.

        When I connect to one of my servers to do admin, I'm almost always using self-signed certs and they are very secure since I created the trust chain manually and the root CA cert is kept offline. I therefore have no worries about compromised CA's and MitM attacks would always stand out like a sore thumb. But that only works because I have a very limited number of places where I need to install the CA public keys to prove the chain of trust.

  13. Anonymous Coward
    Anonymous Coward

    > They trust our code to be run on their machines in the first place, so why wouldn't they trust us to sign our own code as a sign of approval for what we gave out?

    Because there is a chain of trust which leads all the way back to Microsoft.

    Certainly you could just have every developer signing their own code, but then it would be mostly worthless. A user downloads some interesting-looking app called, say, "Battery Enhancer". It's signed by a certificate which claims to be from "BBC Software". Probably you have no idea who BBC Software are. Even if you have heard of the company, unless you've previously downloaded their signing cert you won't know that *this* BBC Sofware is the one you know. Similarly, unless you've previously downloaded a known-good copy of the cert, you can't tell whether someone has tampered with the downloaded code *and* the cert.

    So, on what basis do you assess the risk of whether to install this piece of software or not?

    What we have instead is a system where Microsoft signs each CA, and the client can automatically check whether the code signing CA was at least known to Microsoft, and also that the code hasn't been tampered with since it was signed by that CA.

    But any sub-CA can sign any code, so the whole system is a weak as the worst CA. In other words, pretty weak.

  14. bombastic bob Silver badge
    FAIL

    the approximate doubling of certificate prices.

    Thanks for the toll-hike at the Redmond "Bridge"

    Yet another impediment to:

    a) independent developers

    b) open source

    c) people who just want to write stuff for their OWN computer

    YET ANOTHER REASON to go with open source operating systems.

    1. Electron Shepherd

      Re: the approximate doubling of certificate prices.

      This has nothing to do with open source, and nothing to do with preventing someone writing something for their own computer.

      There's no suggestion that the OS is going to require signed application-level code. There's nothing to stop you from downloading Visual Studio Community Edition (for free), or an open-source IDE such as Eclipse, writing The World's Best Program, publishing the full source code on GitHub under the GPL and also running it on your own computer.

      1. bombastic bob Silver badge
        Coat

        Re: the approximate doubling of certificate prices.

        "There's no suggestion that the OS is going to require signed application-level code"

        YET...

        consider what's already happened with device drivers. I'll get my coat, now.

        1. patrickstar

          Re: the approximate doubling of certificate prices.

          Considering the large amount of legacy software that Microsoft has bent over and taken it in the rear to support in new versions, even when it involves working around bugs in said software, it'd be ... somewhat unlikely if they suddenly started requiring signatures for everything.

          The requirement - which can be disabled by the way - for signed kernel mode drivers was introduced with 64-bit versions of Windows, which HAD to break backwards compatibility with drivers anyways (no way to load a 32 bit driver in a 64 bit kernel).

  15. Crazy Operations Guy

    Just need better certificate management

    I wish there was a way to select which instances of signing I want to trust. Like I wish there were a way to trust the signing on Lenovo's hardware drivers, but distrust the code signing on their shit software (like with the whole 'superfish' fiasco).

    Although I would also like some kind of screening for what code gets signed. I've had several pieces of software on my network that got through because they were signed even though the software was total crap and filled with security holes. If I tried to delete the CA that issued their code-signing cert, then I'd be invalidating plenty of software that I do want on my network.

    1. Electron Shepherd

      Re: Just need better certificate management

      Have you tried extracting the certificate from the relevant program (easy to do from the 'Digital Signatures' property page in Explorer), and then adding that certificate to the 'Untrusted Certificates' store? I'm fairly certain that would get you the result you're after.

      1. Crazy Operations Guy

        Re: Just need better certificate management

        Work on the crap software, but Lenovo signs both their software and their device drivers with the same certificate...

  16. eldakka

    I don't need - or want - Microsoft's approval of any piece of software before installing it on MY computer.

    1. patrickstar

      You don't need it either. Signing is optional, though confers some benefit.

      (For kernel mode drivers you need them to be signed with the default configuration however, but this can be overridden).

    2. Charles 9

      YOUR computer, but THEIR OS, and they tend to get flak (blame or no blame) if something like a driver breaks things, so like it or not you have to deal with kiester-covering.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like