Sunday 20 September 2015

Code-Signing Keys

I'm aware of several instances where the private, code-signing key of a company has been compromised. But D-Link seems to have saved the bad guys some effort by publishing their private key themselves:


Three concerns immediately spring to mind:

1) Why aren't companies putting in the proper controls to protect their private keys from both malicious attack and accidental disclosure.

2) Why don't Microsoft / Apple / Symantec / CAs etc. have the correct checks in place to ensure these companies and the whole ecosystem are properly secured.

3) Once there is a compromise, where are the processes to respond with the issue in a timely manner, for example revoking the compromised certificates / notification etc.?

No comments:

Post a Comment