[SecurityRatty] tag: thawte

Free Certificate Reissuance From VeriSign

Sat, 17 May 2008 03:20:37 +0000

Owing to the recent severe bug in Debian's OpenSSL implementation, VeriSign is offering free reissuance of certificates. Patching the flawed software is not enough: certificates containing public keys generated by the buggy versions of OpenSSL have to be revoked and replaced with new copies generated by fixed versions of the software. For customers of trusted certificate authorities this also means having the CA resign the certificate. CAs normally charge for revoking and replacing certificates, but because a software error is involved, VeriSign is not charging for revocation and replacement of VeriSign, Thawte, GeoTrust, and RapidSSL SSL Certificates. This includes code signing certificates as well as SSL certificates.

Certify your Software Integrity with thawte Code Signing Certificates

Fri, 16 May 2008 09:00:00 +0000

(Source: Thawte) This guide will show you how Code Signing Certificates are used to secure code that can be downloaded from the Internet. You will also learn how these certificates operate with different software platforms.

Securing your Online Data Transfer with SSL

Fri, 16 May 2008 09:00:00 +0000

(Source: Thawte) A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.

Extended Validation SSL Certificates

Fri, 16 May 2008 09:00:00 +0000

(Source: Thawte) Extended Validation SSL delivers the acknowledged industry standard for the highest level of online identity assurance processes for SSL certificate issuance. Find out how the EV standard increases the visibility of authentication status through the use of a green address bar in the latest high security web browsers.

The cost of a code signing certificate

Thu, 17 Jan 2008 04:31:00 +0000

In my recent post about Windows Live OneCare Firewall and Security, I mentioned that code signing certificates aren't cheap. If you look at the major vendors like VeriSign and Thawte, you'll find they charge between $500 and $300 for a cert that's valid for a year.

Scott commented that you can get cheap code-signing certs, as Jon Robbins points out. 80 bucks sounds like quite a deal, but a quick look at Jon's post reveals that a cheap code signing cert isn't as easy to use as one issued by the big dogs:

I had some trouble with registration process at Comodo. Make sure you add https://secure.comodo.net to the list of trusted sites in Internet Explorer so they can properly get you registered and install their trusted root certificate on your computer.

It's not just ease of use that I'm worried about here though. What's it mean to ask your customer to install a CA certificate into her trusted root store? I'm thinking of a nontechnical person like my mother - what's she going to think when she's asked to approve something that looks like this (the dialog that pops up on Windows XP when you try to install a cert into the trusted root store):

(click image to enlarge)

If you find that your customers tend to choose the default option here, "NO", your code signing cert won't be trusted, which begs the question, why didn't you save yourself the 80 bucks and simply issue your own code signing cert via Windows built-in Certificate Services?

And even worse, what does it mean if you find that your customers tend to choose, "YES"? That leads to the philosophical question: what use is PKI anyway if the end user doesn't understand it? If every software vendor creates one of those web pages (I'm sure you've seen them) instructing users on what to do when they see the above dialog ("press YES"), then ultimately what's the cost to the consumer?

I don't like tithing to my certificate authority any more than the next guy, but buying a "cheap" cert is more costly in the long term. If you need a cheap certificate for testing or for personal reasons, issue it yourself! If you need a real certificate, your best bet is to stick with a vendor that your customers already "trust", for better or for worse.

Windows Live OneCare Firewall and Software

Thu, 10 Jan 2008 04:37:00 +0000

I've recently installed Windows Live OneCare and generally have been very happy with it. I'm using the Family Safety option to help my kids access the Internet safely. But one thing that's been bugging me is the outbound firewall.

If your software is signed with a code signing cert issued by an authority that is trusted on the machine (e.g., Thawte, Verisign, etc.) you're good, because the firewall will automatically allow your software to access the Internet. But if you don't want to shell out the hundreds of $$$ it takes to get one of these certs, especially for homebrew software, you might try to do what I did and tell the OneCare firewall about your app. Under Advanced Settings, you can point at your EXE file and tell the firewall to allow it to make outbound connections. Sadly this doesn't seem to work very consistently. Here's a sample program that I could sometimes get this to work for, and sometimes not:

using System; using System.Net;

class FetchMicrosoftHomePage { static void Main() { byte[] data; try { data = new WebClient().DownloadData("http://www.microsoft.com"); Console.WriteLine("Microsoft's home page is {0} bytes long", data.Length); } catch (WebException x) { Console.WriteLine(x); } } }

I've spent about an hour trying to figure out why I can only sporadically get the firewall to recognize this program, and I'm done now. FWIW, when it's not recognized, the firewall outputs a log message like this (you need to turn on detailed logging to see this, BTW):

There's a lot of people who will argue that an outbound firewall is useless, especially for non-techies. And a lot of people will argue the opposite point. I'm not here to argue either of these points, but I can say that this type of behavior makes it pretty hard for even highly technical people to use.

Since I'm personally in the, "outbound firewalls aren't that useful" camp, I fixed the problem on my own machine by adding four rules that allow all outbound TCP and UDP connections to all ports (I figured I needed four, since each rule only allows one protocol and you have to pick between local subnet vs. Internet). Then I shut off the prompts for "blocking" programs and everything seems to be working fine. But I wonder how many software developers will be running into deployment problems in home environments where lots of users are running this firewall.

Orphaned Symantec Root Certificates

Thu, 02 Aug 2007 11:12:18 +0000

For my recent column on code signing I took a close look at the Trusted Root Certificates dialog on one of my Vista systems and noticed something odd. The selected certificate is one of two Symantec certificates. Three things are of interest, and you can see the first two in the picture: The purposes for the certificate are "". Usually certificates are listed as being used for a more limited set of purposes, such as server authentication or code signing. Also note that the "Friendly Name" field is empty. This means that the certificate was a "roll your own" version generated by Symantec themselves rather than one issued by a trusted certificate authority like VeriSign or Thawte. But the really interesting thing is that there are no Symantec products on this system. There had been some on it but I removed them after they made the system unstable. I used the Norton Removal Tool, which is supposed to do a complete lobotomy on Symantec products on the system, to uninstall them. (Symantec conceded that the problem was caused initially by a bad update they pushed down. By the time a fix was issued I was already fed up and removed the software.) So it looks like the Norton Removal Tool leaves the certificates on the system. This is probably not that much of a risk, although it would be better if the certificates weren't there (I'll remove them myself later). The attack scenario, I guess, is that someone at Symantec loans their private key to their brother-in-law who uses it to sign malware.which shows up to the user as having been signed by Symantec. Not likely I guess. It does underscore how, to trust a signature, you really need to look up the certification path. Since it's unrealistic to expect normal users to do that the system as a whole (at least on 32-bit Windows) is disappointing. Things are a little different on 64-bit Windows.