[Cryptography] HP accidentally signs malware, will revoke certificate
ianG
iang at iang.org
Sat Oct 11 11:18:45 EDT 2014
On 11/10/2014 03:11 am, dan at geer.org wrote:
> [ public case study now in progress ]
indeed, and we need more of them ;-)
> HP accidentally signs malware, will revoke certificate
>
> (Ars:) http://arstechnica.com/security/2014/10/hp-accidentally-signed-malwa=
> re-will-revoke-certificate/
>
> Regardless of the cause, the revocation of the affected certificate
> will require HP to re-issue a large number of software packages with a
> new digital signature. While the certificate drop may not affect
> systems with the software already installed, users will be alerted to
> a bad certificate if they attempt to re-install software from original
> media. The full impact of the certificate revocation won't be known
> until after Verisign revokes the certificate on October 21, Wahlin
> said.
That's um amazing. So a 4 year old expired cert is still a critical
piece of infrastructure, and they are still going to revoke it. Rather
finishes the argument of whether revocation means anything different
than expiry... More on Krebs.
http://krebsonsecurity.com/2014/10/signed-malware-is-expensive-oops-for-hp/
Revocation as a system only works if it is reasonable to roll out a new
cert, and this works as long as the scale is small. It looks like
code-signing can escape that assumption, making one userland cert as
powerful as .. a root cert!
Revocation was always a safety blanket, cute for users but not for
serious applications, so this must be causing some headaches in the risk
department.
iang
ps; HP's comment that they weren't breached is laughable.
More information about the cryptography
mailing list