GlobalSign Egregiously Misuses App-Signing Process

All well and good, you’d say. Well, all is emphatically not well, because in doing so GlobalSign removed a (very simple, very effective) tool from security-minded folks’ hands. It’s not like the certificate was invalid in some way. It was. To appear legit, the publishers of the e-threat had decided to play by the rules and get a valid cert from a high-profile certification authority. The certificate positively identified a certain binary file as being Antivirus XP 2008. Now that means of identification is gone. See the problem here?

The sad truth is the confusion between identity and security is one that GlobalSign and other companies like it worked hard to create. Here’s an endearing quote from the GlobalSign website :
“Running Unsigned Code / Executables can be Dangerous!
End users are encouraged not to run unsigned code / executables therefore downloading / running unsigned applications will generate worrying Unknown Publisher security warnings. Unsigned software can be tampered with (such as the insertion of spyware, malware or harmful code and then redistributed). Once digitally signed using a Code Signing Certificate, customers can be sure of the identity of the software developer and that the software has not been altered since being published by the original vendor. The security warnings change from being worrying to alerting the user the publisher of the digitally signed software is known – adding an essential level of trust to the application installation process.”

 

If anything, the fact that Antivirus XP obtained a valid cert is proof that positively identifying something doesn’t make that thing intrinsincally safer. The fact that an application is signed by Verisign or Microsoft or the Tooth Fairy syndicate is supposed to make you feel safer, but all it amounts to is that Verisign or Microsoft or the syndicate accepted a cheque from someone and used crypto to tie that someone’s identity (however tenuous that concept is) to a certain piece of code.

 

GlobalSign should not have pulled that cert. They should have kept it and advertised the hell out of it as proof the system works and used it to push hard for the deployment of a de-centralized trust infrastructure on top of the identification infrastructure they manage. A system is needed where everyone could find out at a glance that the certificate for Antivirus XP is valid and the software they’re about to install really is Antivirus XP (which they can now) and that everyone who’s someone thinks that Antivirus XP is an e-threat (which they can’t, for now).

 

What’s more,GlobalSign opened a huge can of worms by revoking a valid certificate (valid both process-wise and real-world-wise – its publisher was positively identified for better or worse). Will they do it again? Who knows? What company will “benefit” from this treatment next? If a rogue one was mis-identified as legit (forgetting for a moment it is emphatically NOT the job of GlobalSign to ascertain such things), isn’t it possible that the next time a legit one will be identified as rogue? Is there a process in place to redress errors? How fast is it and how fast can changes be propagated? What are the margins of error?