Compromised certificates: Revocations alone are insufficient

    Date18 Nov 2011
    Posted ByAlex
    Revoking a digital certificate does not automatically invalidate, for instance, software signatures that have been made with this certificate. What matters is the revocation date, which determines the point in time after which a signature will no longer be validated. According to a report from anti-virus specialist Norman, the signatures of several recently discovered trojans were validated by Windows as a result, and no warning was issued before installing the malware. The trojans were signed with a key that had been stolen from a Japanese company. The corresponding certificate was reported as compromised on 29 July 2011 and revoked by its issuing Certificate Authority (CA), VeriSign, which is now part of Symantec. However, that date was also entered as the revocation date.
    You are not authorised to post comments.

    LinuxSecurity Poll

    Do you reuse passwords across multiple accounts?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.