Long-time Slashdot reader rastos1 works for a mid-size software company that for many decades has been developing CAD-CAM software for the textile industry. But last weekend their code-signing certificate was revoked — and they’re looking for advice.
On Monday morning we woke up to phones ringing from confused customers unable to launch our software. This has hit mostly Java applications launched from a web page because JRE checks the signature by default using OCSP. But traditional executables and shared libraries also would report invalid signature upon checking.
We reached out, but for half a day we could not get any feedback. Later we got information that some malware was signed with our certificate. Two days and many e-mails and phone calls later, we understand that this is what happened: someone submitted one of our executables to virustotal.com — a site that runs ~70 antivirus programs on submitted files and reports back whether they flag the uploaded file. Five of their antivirus packages flagged our executable. We tracked down the version and we positively know it was a false positive.
There is random guy that wrote a tool that creates a monthly report of files flagged at Virustotal. Sectigo found the report, and, according to their statement, revoked all certificates used to sign executables — causing major disruption to us and downtime for our customers… There was no attempt to contact us and clarify the situation.
How do you prepare and deal with such scenario? Did you know how little it takes to get your certificate revoked?
They’d bought their certs from the same seller for more than a decade — and their story has already drawn some interesting comments from long-time Slashdot readers. “False positives are way too common in the anti-virus world today…” argues Z00L00K, adding “you have to cut down all unnecessary players in the chain to a minimum, so the dependency on an external CA is worth reconsidering.”
sjames — Slashdot reader #1,099 — agrees. “If you must depend on another entity, make sure they’re small enough that they would actually care if they lost you as a customer.” And Martin S. simply recommends talking to a lawyer, adding “This is a legal problem, not a technology problem.”
But what’s your advice? Leave your best thoughts in the comments.
What should you do when your certificate authority suddenly revokes your cert?