It is an axiom of computer security that users have to trust some aspects of the system. Yet developers of many essential software applications fail to take simple measures to validate that trust.
Code signing certificates are the standard for providing proof of origin for an executable software program. It is common for malicious software to masquerade as legitimate, and code signing has long been a way to protect against this threat. Many of the most sophisticated software companies rely on code signing, and for good reason. The liability and embarrassment that result from a compromise of the update process are devastating for a software vendor.
New research describes attacks against SSL that create opportunities to compromise the update processes of unsigned software. This paper will show how code signing works, how attacks can be mounted against unsigned software, (including autoupdate software), and how real-world signing systems protect software vendors, enterprises and end users.
Credit Union Times is the nation's leading independent source for breaking news and analysis for credit union leaders. For more than 20 years, Credit Union Times has set the standard for editorial excellence and ethical, straight-forward reporting.