Tag Archives: Code Signing

2014 – Looking Back, Moving Forward

March 3, 2014 by Bruce Morton     1 Comment

Looking Back at 2013 Protocol Attacks The year started with a couple of SSL/TLS protocol attacks: Lucky Thirteen and RC4 attack. Lucky Thirteen allows the decryption of sensitive information, such as passwords and cookies, when using the CBC-mode cipher suite. Lucky Thirteen can be mitigated by implementing software patches or preferring the cipher suite RC4. [Read More...]

Protect Your Private Keys: Three Easy Steps for Safe Code-Signing

December 19, 2013 by Bruce Morton     No Comments

A recent article by the Microsoft malware protection center, “Be a real security pro – Keep your private keys private,” reminded me of some best practices. There are far too many cases of illegitimate code being signed by a stolen private key for legitimately signed code-signing certificates. In these cases, the owners of the private [Read More...]

Java Secures Supply Chains through Code Signing

December 11, 2013 by Bruce Morton     No Comments

This post was originally published by Bruce Morton & Erik Costlow on the CA Security Council blog. We have recently discussed the benefits of code signing in two posts: Securing Software Distribution with Digital Signatures and Improving Code Signing. These posts covered the role of code signatures as a “digital shrinkwrap” designed to answer a simple question: [Read More...]

Filed Under: Code Signing Tagged With: Java, Oracle

SHA-1 Deprecation, on to SHA-2

December 9, 2013 by Bruce Morton     1 Comment

We have previously reviewed implementation of SHA-2, but with Bruce Schneier stating the need to migrate away from SHA-1 and the SHA-1 deprecation policy from Microsoft, the industry must start to make some progress in 2014. Web server administrators will have to make plans to move from SSL and code signing certificates signed with the [Read More...]

Filed Under: SSL, SSL Deployment Tagged With: Code Signing, Microsoft, SHA-1

Securing Software Distribution with Digital Code Signing

October 23, 2013 by Bruce Morton     No Comments

This post was originally published on the CA Security Council blog. Code signing certificates from publicly trusted Certification Authorities (CAs) fulfill a vital need for authentication of software distributed over the Internet in our interconnected world. As the commonly referred to “Internet of things” continues to grow, consumers have access to millions of applications for their [Read More...]

Adobe Code-Signing Certificate Compromised

October 3, 2012 by Bruce Morton     No Comments

Adobe announced they received two malicious utilities signed by a valid Adobe code-signing certificate. The code-signing certificate was compromised though an attack on their code-signing system. The code-signing certificate will be revoked on October 4, 2012, and will impact all code being signed after July 12, 2012. A supporting security advisory has been issued. The [Read More...]

What is Time-Stamping?

June 27, 2012 by Bruce Morton     No Comments

What happens to signed code when the code signing certificate expires? In many cases, an expired certificate means that the signature validation will fail and a trust warning will appear in the browser. Time-stamping was designed to alleviate this problem. The idea is that at the time, at which the code is signed, the certificate [Read More...]

Code Installation Trust Decision

June 21, 2012 by Bruce Morton     No Comments

The code has been signed, the user has started installation, and verification has taken place. How does the user know whether or not to accept the code? Here is a typical code verification security warning: The user must make their trust decision based on the above. The statement provides the following: File Name: In this [Read More...]

How to Digitally Sign Code

June 18, 2012 by Bruce Morton     No Comments

Various application platforms support code-signing and provide different tools to perform the signing. Here is a list of the more common code-signing types and references as to where you can find guides for the given application. Adobe AIR Adobe – Digitally signing an AIR file Apple Mac OS X Developer Library – Code Signing and [Read More...]

Verifying Code Authenticity

August 11, 2011 by Bruce Morton     1 Comment

When an end-user’s browser loads the code, it checks the authenticity of the software using the signer’s public key, signature and the hash of the file. If the signature is verified successfully, the browser accepts the code as valid. If the signature is not successfully verified, the browser will react by warning the user or [Read More...]