prj
|
|
« Reply #15 on: October 25, 2023, 08:40:29 AM »
|
|
|
Oh please. We have EV certificate from 10 years, any many many things goes unsigned. Token is in office and things are compiled remotely and must be delivered 'now'... ;-) Token can be also in cloud. https://docs.digicert.com/en/digicert-keylocker.htmlAnyway - Code sign without EV, can be ordered by somebody. For me, have same value as unsigned thing. The only difference is that the non-EV can be also bought by a natural person (with full identity verification). EV is company only. But then, you can get an EV cert as a sole trader as well. Not sure how it is the same as "unsigned" - for any code cert to be issued the full credentials of the person have been verified by the CA. In case of ordering for a legal person they verify both the legal entity owner as a natural person as well as the legal entity itself. I would say when it is given to a natural person then that person is even more on the hook for shit they sign. In my opinion the cost (money and time) of EV minimizes the risk of signing everything as it comes. Since this year there is almost no difference in cost anymore. Before the standard cert used to cost 70$/year because you could use it without a HSM. Now you have to have a HSM token for the standard one as well. The only difference these days between EV and non-EV is the initial smartscreen reputation. Which makes zero difference after your entity is trusted, and this trust in my experience comes quite quickly, I think it took me a month or so initially. I mean in this way now because there is almost no price and technical difference between EV and non-EV you might as well get an EV cert. Before there used to be a continuous 3x price difference in something that takes less than a month to solve forever.
|
|
« Last Edit: October 25, 2023, 08:45:24 AM by prj »
|
Logged
|
|
|
|
K2d33
Newbie
Karma: +0/-0
Offline
Posts: 7
|
|
« Reply #16 on: October 25, 2023, 10:17:13 AM »
|
|
|
I hate clouds. The only difference is that the non-EV can be also bought by a natural person (with full identity verification). EV is company only. But then, you can get an EV cert as a sole trader as well. Not sure how it is the same as "unsigned" - for any code cert to be issued the full credentials of the person have been verified by the CA. In case of ordering for a legal person they verify both the legal entity owner as a natural person as well as the legal entity itself.
I would say when it is given to a natural person then that person is even more on the hook for shit they sign. Since this year there is almost no difference in cost anymore. Before the standard cert used to cost 70$/year because you could use it without a HSM. Now you have to have a HSM token for the standard one as well. The only difference these days between EV and non-EV is the initial smartscreen reputation. Which makes zero difference after your entity is trusted, and this trust in my experience comes quite quickly, I think it took me a month or so initially.
I mean in this way now because there is almost no price and technical difference between EV and non-EV you might as well get an EV cert. Before there used to be a continuous 3x price difference in something that takes less than a month to solve forever.
Not exactly. Personal code sign certificate can be 'ordered' for 'stolen' ID card and 'faked personality'. EV certficate validation is performed via government data - so company must exists and all data must be valid and actual. Personally code sign personal certificate for me have same value as let's encrypt ssl certificate on website. Nice, because communication between my browser and server is encrypted - but this is not place, when i will leave my personal data, leave my card number etc. In any case, when someone wants to 'infect' a computer with malicious code, they will probably use a zero-day bug and more advanced technology as signing code via his own certificate(probably use stolen cert/token/cloud account). More, in world history were situations, where NSA and other agencies used stolen certificates to signing drivers and applications... In this situation application signed with EV certificate code is more dangerous (because 100% trojan have valid sign code) in compare to unsigned random application downloaded from internet.
|
|
|
Logged
|
|
|
|
prj
|
|
« Reply #17 on: October 25, 2023, 11:18:18 AM »
|
|
|
Personal code sign certificate can be 'ordered' for 'stolen' ID card and 'faked personality'. EV certficate validation is performed via government data - so company must exists and all data must be valid and actual. This is the same for non-EV certificate when the certificate is issued to a company. It always has been. The existence and the owner of the company is verified via government data. In the past the difference between EV and non-EV for companies was that EV came on a HSM and gave instant smart screen reputation to the publisher. These days the difference is only the smartscreen reputation. If you already established smartscreen reputation in the past and are extending an already existing certificate, then you are already a "trusted publisher" for Microsoft. The fact that the certificate is now also on HSM like the non-EV variant means that it is also harder to steal - this was the real issue with non-EV certs before (but not since this year anymore). It's also the reason why the difference between EV and non-EV is now like 20% of the price while it used to be 300%. In any case, when someone wants to 'infect' a computer with malicious code There was a tool posted on ecuconnections that read bosch numbers from a file. Also of course anonymous and unsigned. Except it was also gathering the WinOLS data folder and uploading all ols files to a google drive account. The credentials were in the binary. There was a very large amount of data on there....
|
|
|
Logged
|
|
|
|
d3irb
Full Member
Karma: +134/-1
Offline
Posts: 195
|
|
« Reply #18 on: October 25, 2023, 01:06:47 PM »
|
|
|
There was a tool posted on ecuconnections that read bosch numbers from a file. Also of course anonymous and unsigned. Except it was also gathering the WinOLS data folder and uploading all ols files to a google drive account. The credentials were in the binary. There was a very large amount of data on there....
I don't really get how code signing makes a difference in this threat model? I'm all for code signing (as I'm sure you are aware, I have signed all of my releases), but there's no reason that clown couldn't have signed a malicious WinOLS stealer. Maybe if the stars aligned right and the moon phase was correct the issuer would have revoked their certificate for malicious behavior, but I highly doubt this as even high assurance EV signed device drivers with giant backdoors and vulnerabilities are allowed to proliferate everywhere. Code signing is surely good (for example, if I download VehiCAL, it is signed, and I trust you, and know you signed it, so there's no reason for me to audit it more, I'll just run it). But if the author is some random, it doesn't really matter IMO. The only solution here is to build from source yourself if available, sandbox, or RE the app and do an audit. And without source available auditing is too much work, so I'm sure as hell not using any binaries posted on nef.
|
|
|
Logged
|
|
|
|
prj
|
|
« Reply #19 on: October 25, 2023, 01:10:59 PM »
|
|
|
I don't really get how code signing makes a difference in this threat model? I'm all for code signing (as I'm sure you are aware, I have signed all of my releases), but there's no reason that clown couldn't have signed a malicious WinOLS stealer. Maybe if the stars aligned right and the moon phase was correct the issuer would have revoked their certificate for malicious behavior, but I highly doubt this as even high assurance EV signed device drivers with giant backdoors and vulnerabilities are allowed to proliferate everywhere. Unless the certificate was stolen, then it is known exactly who signed it and who made this malicious piece of software. So there is responsibility, versus downloading an unsigned blob from someone completely anonymous. Yes, both can do you wrong, however, you can sue one, but not the other. Making a fraudulent piece of software (which is illegal in many places on it's own) and then putting your name on it is some special kind of stupid.
|
|
|
Logged
|
|
|
|
_nameless
|
|
« Reply #20 on: October 26, 2023, 03:23:07 AM »
|
|
|
dbg made quick work of this anyways lol
|
|
|
Logged
|
Giving your mom a tuneup
|
|
|
jcsbanks
Full Member
Karma: +19/-3
Offline
Posts: 146
|
|
« Reply #21 on: October 26, 2023, 04:59:00 AM »
|
|
|
Going through this for a new company, under the new arrangements since June 2023, it did end up over $800 for a 3 year certificate with an HSM, and we're not there yet with the telephone validation (because like many companies we don't do business over the phone and are not listed in US centric phone directories) and might have to get a professional opinion letter written (not just confirming the phone number) taking the cost well over $1000. Still, it is a small part of the cost of making something worthwhile that people trust if you are running it as a company even though companies with multiple premises, more employees than I ever want, trading for multiple years and bringing in lots of revenues don't always do it. I really need it because I do stuff with encryption and networks and light up the heuristics on potentially unwanted software or bad behaviour like a dashboard on a 25 year old badly maintained and badly modified 1.8T. It seems the controversy in this thread is the nature of what is being offered and whether it is a business or not.
|
|
|
Logged
|
|
|
|
prj
|
|
« Reply #22 on: October 26, 2023, 05:17:10 AM »
|
|
|
$800 for 3 years is not 1000$ as OP claims lol. That's 3x cert + 1x token. I had zero issues with my validation, done in a day. Also in the EU you are required to have a phone number listed in the terms of service if you are offering any services as a company. This comes from consumer protection rights. AFAIK the UK also has these in force, and your website/privacy policy actually isn't compliant or GDPR compliant, because it does not list the required rights... Maybe the UK has it different though after Brexit, no idea. I have found the EVC privacy policy to be exemplary. https://www.evc.de/en/imprint/privacy.asp.
|
|
« Last Edit: October 26, 2023, 05:23:13 AM by prj »
|
Logged
|
|
|
|
jcsbanks
Full Member
Karma: +19/-3
Offline
Posts: 146
|
|
« Reply #23 on: October 26, 2023, 05:28:11 AM »
|
|
|
No longer in the UK and not in the EU, but GDPR does apply. We avoid processing any customer data except that required to process an order. Thanks for the info, we'll check and if we need to publish one on our website we will. I think our other company that was UK based did have one, and thankfully people didn't call it for irrelevant technical support - that is my main fear. Our main requests for phone numbers from customers are unrelated to the delivery of our products and services.
|
|
|
Logged
|
|
|
|
jcsbanks
Full Member
Karma: +19/-3
Offline
Posts: 146
|
|
« Reply #24 on: October 26, 2023, 05:41:54 AM »
|
|
|
It is actually a good prompt to get our policies checked and updated, so will get that done, thanks. I do notice that many German websites particularly have an "imprint" that is particularly verbose like the one for EVC (and as I understand is mandated) that I don't see in other jurisdictions.
|
|
|
Logged
|
|
|
|
prj
|
|
« Reply #25 on: October 26, 2023, 06:29:16 AM »
|
|
|
It is actually a good prompt to get our policies checked and updated, so will get that done, thanks. I do notice that many German websites particularly have an "imprint" that is particularly verbose like the one for EVC (and as I understand is mandated) that I don't see in other jurisdictions.
Imprint (Impressum) is something else, it's a German only requirement. In EU if you are providing services to natural persons you must have a whole bunch of stuff in the TOS. If you process any data that falls under the GDPR, you must have a Privacy Policy with a bunch of mandated stuff to comply with the GDPR. The TOS must have your company phone number in it. It does not matter if this phone number goes to voice mail all the time, there is no requirement to ever answer it. Just that it has to be there
|
|
|
Logged
|
|
|
|
jcsbanks
Full Member
Karma: +19/-3
Offline
Posts: 146
|
|
« Reply #26 on: October 26, 2023, 06:44:29 AM »
|
|
|
Noted.
Sectigo have refused our phone number verification as the only third party source of it was listed in the Chamber of Commerce and they want it in a government list (they don't keep them) or a type of phone directory that isn't available here. So we have to do the professional opinion letter and it is rather involved because it isn't just verifying the phone number.
It was much easier distributing a device from which the software was downloaded.
|
|
|
Logged
|
|
|
|
jcsbanks
Full Member
Karma: +19/-3
Offline
Posts: 146
|
|
« Reply #27 on: October 26, 2023, 07:20:59 AM »
|
|
|
There is some local listing site that appears to have no actual verification that could be used, but it is box ticking like the business phone that goes to answer phone for other requirements.
|
|
|
Logged
|
|
|
|
|
jcsbanks
Full Member
Karma: +19/-3
Offline
Posts: 146
|
|
« Reply #29 on: October 30, 2023, 01:09:48 PM »
|
|
|
Great deal, thanks. I might need it as a fallback as still awaiting phone approval with Sectigo. I wanted to go with Sectigo because I found a working method that uses an HSM with Visual Studio publish and I've adopted that method for version control/updates.
|
|
|
Logged
|
|
|
|
|