From pgut001@cs.auckland.ac.nz Fri Jul 6 02:31:19 2018 From: Peter Gutmann To: cypherpunks-legacy@lists.cpunks.org Subject: Re: [cryptography] How are expired code-signing certs revoked? Date: Fri, 06 Jul 2018 02:31:19 +0000 Message-ID: <172289270816.3881296.6065124725541542140.generated@mail.pglaf.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4105328261328996796==" --===============4105328261328996796== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable writes: >One would assume that the effort to get such a signing certificate would=20 >persuade the bad team to use that cert for targeted attacks, not broadcast=20 >ones, in which case you would be damned lucky to find it in a place where you >could then encapsulate it in a signature-based protection scheme. My post was based on data gathered by a well-known anti-malware company, I'm = just reporting what they found in real-world use. In any case getting signing certs really isn't hard at all. I once managed i= t=20 in under a minute (knowing which Google search term to enter to find caches o= f=20 Zeus stolen keys helps :-). That's as an outsider, if you're working inside = the malware ecosystem you'd probably get them in bulk from whoever's dealing = in them (single botnets have been reported with thousands of stolen keys and = certs in their data stores, so it's not like the bad guys are going to run ou= t=20 of them in a hurry). Unlike credit cards and bank accounts and whatnot we don't have price figures= =20 for stolen certs, but I suspect it's not that much. Peter. _______________________________________________ cryptography mailing list cryptography(a)randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- --=20 Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE --===============4105328261328996796==--