Tags: ,

NEVER trust Trusted Third Party (application signing)

Table of Contents

You might had seen complains from Windows Defender, like “unknown publisher”.

And if is a developer, you do not want this message to be displayed, so you have to buy certificate from so called “trusted third party”, and voila.

But.. from end user point of view, does it even make any sence?

This “trusted” companies check NOTHING important for end user

All they do is googling company name. That’s all.

You can do it yourself, you can do it better.

  • Do they check the package for viruses? NO!
  • Will anyone be responsible if the app will damage your data? NO! Every license agreement have a “disclaimer” section.
  • Will “trusted” third party be responsibe? Of cause not.
  • Does it guarantee that the copy is legal and not pirated or modified? NO! In most companies literally everyone has access to this certificates. Why? Because, from the company point of view, the sole purpose of this certificate is to suppress windows defender warning. So, nobody cares. If certificate will leak - company won’t lose anything valuable.

In fact, self-signed applicationas are more secure. At least, no “trusted” third party has access to the certificate.

So if (if!) the company want to prevent supply-chain attacks, it can do it.
Will company benefit from preventing supply-chain attacks? 🤔

Also, checksums will actually work better. Attacker would have to hack both app and company website.

So, there is a good idea to check package for viruses.

For example, here you can check it before download: https://www.virustotal.com/gui/home/url

Especially, if the app is signed by certificate issued by “trusted” third party.

The only argument, “trusted” third pary companies have for trusting this “trusted” certificates is: if company can pay, that company is probably big enouth to trust.

REALLY?

Like we can’t remember any big company which add backdoors, spy on users, collect personal data, sell that data to everyone who ask, make unexpected modifications on your disk etc, etc.

What’s I’m talking about, things like that never happend. That’s just imaginary situation, which has nothing common with reality.