I have no answers for the question, just examples and other questions.
If you’ve been living under a rock the last year, malware writers have been finding holes to use digital certificates to slip in to computers.
What are digital certificates?
An attachment to an electronic message used for security purposes. The most common use of a digital certificate is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply.
The Certificate Authority(CA) issues an encrypted message with a digital public key along with other information. The implication above is that you would send an encoded message to someone else and the computer would recognize it as from an authorized source.
Where this is really useful is in updates for programs and computers. Say you use an antivirus program that gets new information dealing with new signatures. The nightmare of the security folks is that a malware writer will compromise this communication and insert an allowance for their own brand of security breaking or use the certificate to validate their install.
Earlier this year it was found out that the Dutch Certificate Authority (DigiNotar) responsible for issuing digital certificates was compromised and digital certificates were being issued to questionable sources and resulted in the closing of the authority. While I took CA out of the list of acceptable CAs manually in the browser I use, most probably never knew it happened. Later an update to the browser removed that for those that didn’t know and accepted the update. Those that failed to update, they will still accept that CA as valid.
Having a valid digital certificate is like being issued a get in free card. In today’s world of updates and upgrades, most computers rely on the CA to ensure it is from an authorized source. When no CA is found you will often receive a warning before the update will be preformed along with a chance not to continue the install or upgrade.
If the program has a valid digital certificate not a peep is heard from the computer. A condition very much desired by the malware writers.
Since the closing of DigiNotar Root CA, it has been discovered that the Malaysian government CA issuing authority has had certificates compromised and shown up in malware being distributed. Comodo CA has at one point had it’s DC compromised, requiring a new issuing of the certificate.
Most of the info about the compromises come from various articles on the net including F-Secure, a software security company informing the public about these issues.
We have now reached the point that what was once a method to ensure a valid change of software is no longer secure.
What do we replace it with?