Next Generation Code Signing: Keeping malware off of your system
Code signing has been around forever and was the initial step to keeping personal computer systems secure. The concept is simple: have developers digitally sign their code before it’s released so that if it turns out to be malware, we can determine who signed it and when. Then we call the FBI, arrest the malware author and clean up our machines. On the surface this sounds pretty straightforward, but
Over the last few years, it was discovered that stolen code signing certificates have been used to sign malware. No one knows for sure how the certificates were stolen but most likely, the private keys, which are stored on PCs, were not protected with good passwords and were hacked. Those keys were then used to sign code such as Stuxnet. Stolen keys undermine code signing and something had to be done about that.
Most people have heard of Extended Validation (EV) SSL certificates; an SSL certificate which displays differently in the browser, utilizing a green bar which indicates the site has undergone a more thorough background check and which gives the user more confidence in the website’s identity. What if we could apply similar principles to code signing? What if developers had to pass a stringent vetting process and could only install a code signing certificate on an approved hardware token? What would we call such a process? Well, how about “EV Code Signing”!
Given its roots as the first CA to issue code signing certificates in the 1990s, it’s only natural that Symantec would be one of the first Certificate Authorities to offer a more secure, Extended Validation Code Signing certificate. Now that the Certificate Authority/Browser Forum (CABF) has put forth industry-wide EV Code Signing standards, Symantec continues to lead the industry by issuing EV Code Signing certificates to support improved security for developers worldwide.
While we issue the certificates to developers, the operating systems, browsers, and security software that interacts with developers’ applications need to be able to recognize signatures from EV Code Signing certificates as well. We are proud to partner with Microsoft to make this product work, as Microsoft is the first vendor to adopt the standards put forth by the Certificate Authority/Browser Forum (CABF) for EV Code Signing. John Scarrow, Microsoft’s General Manager – Safety Services, sums it up well:
“We are pleased to support the certificate authority industry’s introduction of Extended Validation (EV) Code Signing Certificates. EV Code Signing Certificates are a step forward to help ensure developer identity, code signing security, and user safety ... Given these advances, EV signed applications can immediately establish reputation with Microsoft’s SmartScreen® Application Reputation services in Internet Explorer 9, Internet Explorer 10 and Windows 8. Microsoft is committed to user safety and simplification of trust decisions while ensuring excellent opportunities for Windows developers.”
As John mentions, code signed by an EV Code Signing certificate can now establish initial reputation in Microsoft’s SmartScreen Application Reputation services in Internet Explorer 9, Internet Explorer 10, and Windows 8 even if the file or certificate has no prior download history. No SmartScreen warning messages are shown when running downloaded programs with established reputation.
So, protect your reputation! Ensure your customers download safe code! And help streamline user experiences by signing with an EV Code Signing certificate. Your customers will appreciate it, and ultimately your business will as well.
See our website for more information on the product and to download our white paper on Extended Validation Code Signing.