-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Feb 18, 2013, at 7:07 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > I've just done a quick tally of the certs posted to > http://www.ccssforum.org/malware-certificates.php, a.k.a. "Digital > Certificates Used by Malware". Looks like Verisign (and its sub-brand Thawte) > are the malware-authors' CA of choice, selling more certs used to sign malware > than all other CAs combined. GeoTrust comes second, and everything below that > is in the noise. GoDaddy, the most popular CA, barely rates. Other CAs > who've sold their certs to malware authors include ACNLB, Alpha SSL (which > isn't supposed to sell code-signing certificates at all as far as I can tell), > Certum, CyberTrust, DigiCert, GeoTrust, GlobalSign, GoDaddy, Thawte, > StarField, TrustCenter, VeriSign, and WoSign. Everyone's favourite whipping- > boy CAs CNNIC and TurkTrust don't feature at all. > > Caveats: These are malware certs submitted by volunteers, so they're not a > comprehensive sample. The site tracks malware-signing certs and not criminal- > website certs, for which the stats could be quite different. Interesting, but I have a raised eyebrow. As Andy Steingruebl pointed out, there are a lot of malware certs that are stolen, so this data needs to be normalized against market share. Similarly relevant would be the CAs with significantly fewer certs there than market share would indicate. My former employer, Entrust, has zero certs in that database. What does that mean? Anything? Why pick on the CAs at all? Frankly, the real problem with signed malware is that the *platforms* have the policy that equates a signature with reputation. That's the thing that to me is mind-bogglingly daft. It's the equivalent of the TSA wanting a government issued ID, because as we all know, terrorists can't get ID. If you separate signatures from reputation, then anti-malware scanners can detect malware by a database of known malware signatures, and then infer upwards from a piece of malware to a key owned by or suborned by a malware author. They could conveniently kill malware by code signature or signing cert, as appropriate. They could even go beyond malware to disable things like known buggy or exploitable versions of software. I don't see why they aren't doing that now. They don't even need the platform makers to play along. An alliance of the platforms and the anti-malware people would make it unnecessary to even have a CA-issued code signing cert. Jon -----BEGIN PGP SIGNATURE----- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFRIrpGsTedWZOD3gYRAs9gAKDtpTwIOjAIRCxfhcDubT2i/4whXACg6BHa Mrh87nc4QUybQUCxAbLX1/Y= =kgfC -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
