Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
Search SpywareGuide Database & Site
Security Email Alerts & Updates
SpywareGuide powered by FaceTime Security Labs

You "Thawte" You Were Safe

by Wayne Porter

Back Ground for New Users

Thawte (operated by Verisign) is a company that supplies digital signatures. According to Thawte a Code Signing Certificate is an important solution for developers because it providing an authenticated 'digital signature' that guarantees two important aspects:

  • The publisher: The software really comes from the publisher who signed it . Publishers most go through a process to verify their identity and that they are who they say they are.
  • The content: The software has not been altered or corrupted, and is therefore safe to install and run.

    A digital signature allows a company to sign active content for secure electronic distribution over the Internet such as ActiveX, Macros and Java Applets. You may have seen the small dialogue boxes that come up and prompt you to continue downloading or to stop the installation because the content has not been verified. There is another small checkbox that users can check if they always want to trust content from the software publisher.

    But how much protection does this really extend to an end user? Are end users really ?safe?? In Thawte?s defense they claim to only be an identify verification firm. This means they are simply checking that the firm that issued the code is a real and viable entity. In reality there is very little trust extended beyond this because Thawte refuses to review or take action when code is being used in a dubious fashion.

    In one instance our coder actually talked to Thawte about a publisher, from Poland, who was distributing a form of malware using a Thawte signed digital certificate. Our complaints fell on deaf ears. As far as Thawte was concerned the publisher had satisifed their requirements by verifying their identity with Thawte. Thawte is not concerned with what the publisher was doing with their code, even if the effects of the software were obviously malevolent.

    The lesson to take away from this article is that digital signatures ONLY verify that the code is coming from a verified source- a source only verified by the issuer of the certificate. It is up to the end user to decide whether or not this source is trusted. As is the case with many advertising driven software companies that trust can be questionable. Use caution and research the company or the source before you click the install button.

  • Unless otherwise noted this article is Copyright © 2014 by FaceTime Communications, Inc. This article may not be resold, reprinted, or redistributed for compensation of any kind without prior written permission from FaceTime Communications, Inc. For reprint or media inquires please contact us with the phrase "Spyware Guide Articles" in the subject line and we will by happy to assist you. Links to this article from other websites are appreciated and encouraged. Users are also encouraged to utilize our RSS system to provide unique content and extracts for their site.

    Read other articles (back to full list)

    Help with the BUST!
    Click here and give us what details you have and let our international research team take it from there. If you desire your report will remain anonymous.
    Recent Blog Posts

    There was an error communicating with the requested site.

    Recent Modifications
    2013-7-20  Date Manager
    2013-4-10  BeeBus
    2012-12-18  JT.Moonwalk
    2012-12-18  Sadbiz
    2012-12-18  Troj.GoogleBot
    2012-12-18  W32.Licat Worm
    2012-11-16  CoolWebSearch
    2012-6-21  AntiSpywareXP
    2012-6-21  Bget
    2012-6-21  Dloader.cao.1
     

    Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide Japan Japanese

    © Copyright 2007, FaceTime Communications, Inc. All rights reserved.