You "Thawte" You Were Safe
by Wayne Porter
Back Ground for New Users
Thawte (operated by Verisign) is a company that supplies digital signatures. According to Thawte a Code Signing Certificate is an important solution for developers because it providing an authenticated 'digital signature' that guarantees two important aspects:The publisher: The software really comes from the publisher who signed it . Publishers most go through a process to verify their identity and that they are who they say they are. The content: The software has not been altered or corrupted, and is therefore safe to install and run.
A digital signature allows a company to sign active content for secure electronic distribution over the Internet such as ActiveX, Macros and Java Applets. You may have seen the small dialogue boxes that come up and prompt you to continue downloading or to stop the installation because the content has not been verified. There is another small checkbox that users can check if they always want to trust content from the software publisher.
But how much protection does this really extend to an end user? Are end users really ?safe?? In Thawte?s defense they claim to only be an identify verification firm. This means they are simply checking that the firm that issued the code is a real and viable entity. In reality there is very little trust extended beyond this because Thawte refuses to review or take action when code is being used in a dubious fashion.
In one instance our coder actually talked to Thawte about a publisher, from Poland, who was distributing a form of malware using a Thawte signed digital certificate. Our complaints fell on deaf ears. As far as Thawte was concerned the publisher had satisifed their requirements by verifying their identity with Thawte. Thawte is not concerned with what the publisher was doing with their code, even if the effects of the software were obviously malevolent.
The lesson to take away from this article is that digital signatures ONLY verify that the code is coming from a verified source- a source only verified by the issuer of the certificate. It is up to the end user to decide whether or not this source is trusted. As is the case with many advertising driven software companies that trust can be questionable. Use caution and research the company or the source before you click the install button.
noted this article is Copyright © 2014
by FaceTime Communications, Inc. This article may not be resold,
reprinted, or redistributed for compensation of any kind without
prior written permission from FaceTime
Communications, Inc. For reprint or media inquires please contact
us with the phrase "Spyware
Guide Articles" in the subject line and we will by happy
to assist you. Links to this article from other websites are appreciated
and encouraged. Users are also encouraged to utilize our RSS
system to provide unique content and extracts for their site.
Read other articles (back to