Other issues in this category (33)
Certificates and their owners
When we talked about the certificates that are used to digitally sign software, we also mentioned the following fact:
As a rule, consumer devices are shipped with root certificates installed on them. When a digital signature is processed, the root certificate—the source of the trustworthy information—is verified too.
This guarantees that the certificate used to sign an application didn't appear out of nowhere but was issued by a well-known company. However, some issues exist.
1. The vast majority of certificate authority (CA) companies reside in the USA.
2. Nothing can stop a CA or its partner from issuing a duplicate certificate.
3. Perpetrators can compromise a CA.
Comodo Group's CA (their root certificate is regarded as trustworthy by most browser developers) issued certificates for unknown fraudsters. The certificates pertain to the following domains:
- mail.google.com, www.google.com
- login.yahoo.com (3шт)
4. Impostors can fake a certificate. Because certificates are trusted by the majority of companies, it’s very lucrative to forge them.
According to WikiLeaks, the CIA forged certificates to give the impression that their software was issued by renowned publishers like Kaspersky Lab.
The three examples of source code published by WikiLeaks let anyone create a fake certificate for Moscow-based anti-virus company Kaspersky Laboratory that is signed by Thawte Premium Server CA, Cape Town.
Blind trust may lead to devastating consequences. "Everybody knows" who actually writes malware—we hear this question not only at conferences but also from our new employees (they can now see with their own eyes the true makers of all the malware that ever existed!). However, the WikiLeaks-published information exposes the actual authors behind malware.
Cui prodest? (“Whom does it profit?), they used to ask in ancient times. It is not anti-virus developers who reap the benefits from malware-making activities.