It is an axiom of computer security that users have to trust some aspects of the system. Yet developers of many essential software applications fail to take simple measures to validate that trust.
Code signing certificates are the standard for providing proof of origin for an executable software program. It is common for malicious software to masquerade as legitimate, and code signing has long been a way to protect against this threat. Many of the most sophisticated software companies rely on code signing, and for good reason. The liability and embarrassment that result from a compromise of the update process are devastating for a software vendor.
New research describes attacks against SSL that create opportunities to compromise the update processes of unsigned software. This paper will show how code signing works, how attacks can be mounted against unsigned software, (including autoupdate software), and how real-world signing systems protect software vendors, enterprises and end users.
DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
Our portfolio of live events, online and print publishing, business intelligence and professional development brands are centred on the complexities of technology convergence. Operating in 42 different countries, we have developed a unique global knowledge and networking platform, which is trusted by over 30,000 ICT, engineering and technology professionals.
Data Centre Dynamics Ltd.
102-108 Clifton Street
London EC2A 4HW