An alarming growth in malware signed with fraudulently obtained keys and code-signing certificates in order to trick users to download harmful code is prompting Microsoft and Symantec to push for tighter controls in the way the world's certificate authorities issue these keys used in code-signing.
It's not just stolen keys that are the problem in code-signed malware but "keys issued to people who aren't who they say they are," says Dean Coclin, senior director of business development in the trust services division at Symantec.
Coclin says China, Brazil and South Korea are the hot spots today where the problem of malware signed with certificates and keys obtained from certificate authorities is the worst right now. "We need a uniform way to vet companies and individuals around the world," says Coclin. He says that doesn't really exist today for certificates used in code-signing, but Microsoft and Symantec are about to float a plan that might change that.
Code-signed malware appears to be aimed mostly at Microsoft Windows and Java, maintained by Oracle, says Coclin, adding that malicious code-signing of Android apps has also quickly become a lawless "Wild West."
Under the auspices of the Certificate Authority/ Browser Forum, an industry group in which Microsoft and Symantec are members, the two companies next month plan to put forward what Coclin describes as proposed new "baseline requirements and audit guidelines" that certificate authorities would have to follow to verify the identity of purchasers of code-signing certificates. Microsoft is keenly interested in this effort because "Microsoft is out to protect Windows," says Coclin.
These new identity-proofing requirements will be detailed next month in the upcoming CAB Forum document from its Code-Signing Group. The underlying concept is that certificate authorities would have to follow more stringent practices related to proofing identity, Coclin says.
The CAB Forum includes the main Internet browser software makers, Microsoft, Google, Opera Software and The Mozilla Foundation, combined with many of the major certificate authorities, including Symantec's own certificate authority units Thawte and VeriSign, which earlier acquired GeoTrust.
Several other certificate authorities, including Comodo, GoDaddy, GlobalSign, Trustwave and Network Solutions, are also CAB Forum members, plus a number of certificate authorities based abroad, such as Chunghwa Telecom Co. Ltd., Swisscom, TURKTRUST and TAIWAN-CA, Inc. It's part of a vast and larger commercial certificate authority global infrastructure with numerous sub-authorities operating in a root-based chain of trust. Outside this commercial certificate authority structure, governments and enterprises also use their own controlled certificate authority systems to issue and manage digital certificates for code-signing purposes.
Use of digital certificates for code-signing isn't as widespread as that for SSL, for example, but as detailed in the new White Paper on the topic from the industry group called the CA Security Council, code-signing is intended to assure the identity of software publishers and ensure that the signed code has not been tampered with.
Sign up for CIO Asia eNewsletters.