Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Website Security Solutions
Showing posts tagged with Code Signing
Showing posts in English
DeanJC | 13 Aug 2012 | 0 comments

Code signing has been around forever and was the initial step to keeping personal computer systems secure. The concept is simple: have developers digitally sign their code before it’s released so that if it turns out to be malware, we can determine who signed it and when. Then we call the FBI, arrest the malware author and clean up our machines.  On the surface this sounds pretty straightforward, but

Over the last few years, it was discovered that stolen code signing certificates have been used to sign malware. No one knows for sure how the certificates were stolen but most likely, the private keys, which are stored on PCs, were not protected with good passwords and were hacked. Those keys were then used to sign code such as Stuxnet.  Stolen keys undermine code signing and something had to be done about that.

Most people have heard of Extended Validation (EV) SSL certificates; an SSL certificate which displays differently in the browser, utilizing a...

AllenKelly | 17 May 2012 | 0 comments

Author: Dean Coclin, Senior Director of Business Development at Symantec

Today, I had the opportunity to meet over a hundred talented developers at AnDevCon 2012 during my session on “Challenges in Code Signing and Key Security."

Android has quickly become one of the most popular operating systems for mobile devices. It’s amazing how this ecosystem has changed. Only 5 years ago, Symbian was the #1 smartphone OS in the world and now its market share has dwindled down to a much smaller number. Five years ago we were also carrying around our Palm Treo devices, a company that no longer even exists and their WebOS has been literally thrown away by HP, their new parent.

It’s been an interesting month in the Bay Area as tech giants Oracle and Google battled each other in court over whether Android contains unlicensed portions of Java™. But while the...

FranRosch | 16 Mar 2012 | 2 comments

Yesterday Kaspersky Lab posted on their research blog that they had discovered a Trojan dropper file in the wild. The malicious code, designed to commit click fraud, was signed by a legitimately issued VeriSign code signing certificate. This was a result of private keys being compromised at one of our customers. The code signing certificate used to sign the malicious code was authenticated and issued by VeriSign to a legitimate organization. The certificate has since been revoked, as it appears that the private keys, which were controlled by the customer, have been compromised.

Allow me to emphasize that Symantec takes these situations very seriously. We’re working closely with the customer to resolve their security issue and to ensure that they are taking precautions and applying best practices for private key before we re-issue another code signing certificate to them. Symantec employs the highest levels of stringent authentication for every certificate we issue....

RyanWhite | 28 Apr 2011 | 0 comments

The Online Trust Alliance (OTA), one of the biggest proponents for Extended Validation SSL Certificates (EV SSL) in the security community, recently announced a new set of guidelines that any business or technical decision maker should consider within their security environments.

The guidelines, titled Security by Design, provides an outline for best practices regarding the treatment of consumer data. It explains that when collecting consumer data, businesses need to ensure they are protecting user data and avoiding any type of security incident breakdown---something we've seen frequently in recent weeks.

Here are the first 5 steps to Security by Design:

1. Create a cross-...

RyanWhite | 19 Apr 2011 | 0 comments

Browser root ubiquity is an important requirement when deciding on a Certificate Authority (CA) for your SSL Certificates. Many CAs claim 99% browser ubiquity but this claim does not mean that every certificate will activate without triggering a security warning in a browser. Newer or smaller CAs may not have had their roots included in the root store for some browsers This is especially an issue for older browsers.

VeriSign SSL does not have this issue. All browser manufacturers certainly remember to add VeriSign roots to their root store when new versions of that browser are released.

This is not the case, however, for every SSL Certificate vendor out there. In the past, some CA roots have been left out when a new browser version was released. If a CA's roots are not included in a browser's root store, unsightly error messages can occur -- messages that can motivate users to abandon that session. This leads to lost opportunities for sales and creates dissatisfied...

AllenKelly | 31 Mar 2011 | 0 comments

April Fool's Day is almost here. This annual celebration of silliness has endured largely because of trust - we all know who's playing the jokes on us and that those jokes will be harmless.
Unfortunately, this holiday also presents cyber criminals -- phishers, Web site spoofers and other scammers -- with a lure and smokescreen for their malicious attacks. These felons deliberately misrepresent themselves as legitimate organizations to gain unauthorized access to confidential or proprietary data. Their attacks are anything but playful and painless - rather, they can do incredible harm to industry, government and the citizens they serve.

To better protect the online community, the Online Trust Alliance (OTA) today released its 2011 Top 10 Recommendations to Help Businesses Protect Consumers From Being Fooled. OTA's recommendations provide a good cheat sheet of quick, effective...

AllenKelly | 23 Mar 2011 | 0 comments

This week Mozilla, Microsoft and Google all updated their browser blacklists to include a list of fraudulent SSL certificates issued for the following URLs:

These SSL certificates were issued by a Registration Authority (RA) affiliated with (and trusted by) Comodo, which claims that access to the RA was compromised and a user account was breached. They claim that this RA account was fraudulently used to issue 9 SSL certificates for the URLs above. They also claim that the attack originated from Iran.

Although these fraudulent certificates were revoked, many end users were still exposed to risk. Why? Because the technology that make sure revoked certificates are not mistakenly validated are either turned-off or entirely missing in some users' browsers...

Tim Callan | 19 Mar 2011 | 0 comments

Hello readers. Yesterday was my last day as a Symantec employee, and this entry is my last on Tim Callan's SSL Blog. After nearly seven years at VeriSign/Symantec I am moving on. The transition of the VeriSign authentication business since our acquisition in August 2010 has gone well, and with the approach of a new Symantec fiscal year, it's the right time for me to hand my responsibilities over to the going-forward team and find my own next adventure. I don't know right now what that adventure is, but if you're interested, just follow Tim Callan on Twitter, and I'll let you know. I also am authoring my own, personal blog, Tim Callan on Marketing and Technology, and I...

Tim Callan | 15 Mar 2011 | 0 comments

If you're attending Search Engine Strategies next week in New York City, make sure you come by and see our presentation on how trust indicators drive traffic from search results and maximize click-through rates on landing pages. Trust the link. Trust the Website. Trust the Transaction.