Following the ridiculous behavior of various other firms when a security problem is raised; it is nice to see a corporation take the message seriously and deal with it/fix it, instead of trying to pretend a problem wouldn't exist if the security researches hadn't spotted it!

Well done to Global Sign for not blaming the researchers/messengers! Perhaps the fools that run the Boston Charlie Card system can learn from this.

Ha. This is hilarious. Certificates have been the "standard" for management, consumers, and consultants for years and they are crap. My people have always said it and it's nice to see statements like that come true. It's sort of like the CCV on plastic - doesn't really do anything to secure anything, pure junk. At least plenty of people made money off them though. Ha.

Did you ask GlobalSign if they support OSCP yet? That is, will their revocation of the certificate have any real-world effect?

that video is brilliant. what a dip sh1t.

Digital certificates are not meant to confirm the "niceness" of it's owner. They never were intended for that.

What they are for is to verify that the person you are dealing with is in fact the person you think you are dealing with. Nothing more, nothing less.

So, in this case they actually did what they were supposed to do and confirmed to people that the AntiVirus XP 2008 they were using actually did come from the people who make AntiVirus XP 2008. The trouble was that the people who actually make AntiVirus XP 2008 are rogues and miscreants.

The point is that anyone can make a certificate. It's good that verisign pulled this one as it's owners were undoubtedly up to no good but don't go fooling yourselves that certs are a way of identifying the good guys on the 'net. That's not what they are for.

The Global Sign shill has had his say, now to the matter.

Don't trust Global Sign, they can't vet for sh*t ,

Simple enough, trust Verisign, the money saved just came

back to cost you.

Other malware, distributed through sites like xponlinescanner dot com and xpantivirus dot com, has also been digitally signed in the past, with publisher "Mistland Limited". This signed fake antivirus software has been circulating since at least March of this year. (Both these Web sites are still active, though the front page merely redirects to Google; the rogue software is distributed through various PHP scripts hosted on those sites.)

Goat Jam expressed the problem well. Digital certificates aren't meant, and never were meant, to flag a program as "safe", and Global Sign isn't supposed to check that the programs they sign aren't malware.

Digital certificates are meant to verify that a program was made by the company written in the certificate, and what Global Sign checks is the company's identity - something they seem to have done. Checking the quality or legitimacy of the software itself is *not* their job, and they shouldn't be blamed for it.

The problem here is that, as usual, the average user doesn't even know what security *means*, let alone how to obtain it. That, and most people are all too willing to blame the big company for their own shortcomings.

There is a better way to determine whether software is trustworthy, without relying on digital certificates issued by faceless absentee corporations: read the Source Code!

If you can't understand it yourself, then show it to a competent programmer whom you trust and ask them what they think. Get it straight from the horse's mouth.

But always insist on the Source Code. It's the only guarantee you've got.

I will immediately send a mail to MS asking for the Vista source code before I risk installing it. You volunteering to check it ?

:D

According to the article, a GlobalSign statement said:

"Like all CAs [certificate authorities], GlobalSign vets a company within strict guidelines, but we cannot form an opinion on the software they sign with the issued certificate. While we cannot provide a guarantee around the quality of the software, the certificate does provide proof of which company is responsible for the software, and therefore provides traceability to any parties using that software. This traceability allows us to perform an appropriate investigation."

"The concept of code signing certificates from any CA, whoever they are, is designed to provide assurances of origin of the software, but cannot express that it is virus-free, bug-free or malware-free," it added.

Whilst this is, of course, entirely true -- valid signatures only "prove" that the item is signed by a "known entity" -- GlobalSign's web site suggests in several places, and at least once even outright claims something else, something more. For example:

https://www.globalsign.com/company/press/070207_code-signing.htm

"On the consumer side, ObjectSign gives those buying and downloading from the Web the confidence to acquire new software without the fear of potentially installing malware. The new security precautions also allow consumers to see where software originates and that the vendors are legitimate – on an ongoing basis this means that updates and new drivers can be seamlessly downloaded without undue delay, giving users free reign to maximise usage of their operating system and applications."

Old story -- marketing should actually talk to the tech folk so they know WTF gives.

Also, according to The Reg GlobalSign says that the LLC AJSBIRI cert has been revoked (several days ago now), yet my Windows Vista machine says that a .DLL signed with the cert Sunbelt reported to GlobalSign (same serial number per the screen shots in the Sunbelt blog entry) is still valid ("This certificate is OK." on the Certification Path tab). GlobalSign runs a CRL and OCSP so this Vista machine should be telling me that the cert is invalid/revoked (I don't know if Vista does CRL for GlobalSign certs -- anyone??).

So, can anyone actually confirm that GlobalSign has revoked this cert, or does it just claim to have revoked it?

"Don't trust Global Sign, they can't vet for sh*t ,"

Now, now -- "GlobalSign vets a company within strict guidelines" according to their own statement. If you dig around their web site a bit you find a document describing this strenuous process, but loosely for a code-signing cert (which is at issue here) it involves filling in a form and sending them copies of your national ID card (or similar for non-EU folk -- drivers license maybe??, passport), business registration papers and such.

Ohh, and of course, paying the fee...

"Simple enough, trust Verisign, the money saved just came back to cost you."

That would be the same VeriSign that issued TWO -- not one, but two -- bogus Microsoft certs DESPITE having extra special additional procedures in place as part of its issuing process for any certs in Microsoft's name?

Yeah, those VeriSign folk REALLY know how to vet!

One has to wonder how come, after that, MS kept their certificate business with VeriSign and did not revoke VeriSign's status as a default root CA the following Patch Tuesday... They certainly deserved worse for that lapse...

And although I don't have the data readily at hand, I seem to recall there have been previous instances of signed malware using valid VeriSign certs, so I don't think I'll be taking your advice...

If you can really get hold of the Source Code to Vista, I'll gladly check it over for you -- at the usual hourly rate, of course, and subject to a disclaimer and bilateral warranty.

But if they won't show it to you, have you considered that perhaps it might be because there's something in there they don't want you to see?