Because everyone knows there’s no 100% security, the security industry easily finds a way out from its shortcomings. That’s how Symantec can get away with basically blaming their customer for a security failure. Now there’s a new screw-up which no one is taking responsibility for: signed malware. After Comodo, now it was DigiCert‘s turn to sign a certificate for a front company registered in Brazil.
Unlike Comodo, which remained silent, DigiCert said “the certificate was validated and issued in accordance with industry guidelines.” In other words, the industry guideline says it’s OK to get malware signed and only revoke the certificate afterwards, as long as the company is in a government database somewhere around the world.
The problem is, obviously, a trust one. DigiCert wouldn’t say which steps it took to validate the Brazilian company, except they were registered with the government.
But that doesn’t work. Companies here in Brazil can be registered very easily. The government has recently made the process a very simple one because the informal economy is too large, and since too many people work for themselves selling handmade products or providing general services, these people need an easy way to create a company.
It’s hard to believe that Brazil is the only country in which registering a company is an easy process. But whether a company is registered or not is the certificate authority’s only concern, and that is enough to even get kernel-level code signing.
Is consulting a government database really worth US$ 200 a year?
If this Brazilian malware had a more limited distribution and remained hidden, like Flame or the Red October campaign malware, it’s unlikely its certificate would ever be revoked in time for anyone to be protected.
From the certificate standpoint, it doesn’t matter where the companies are from, and yet there’s a certainly a very different level of trust that each government database deserves (hint: the Brazilian one doesn’t deserve much). Even EV-SSL knows this, because the country code is shown just after the company name in the address bar. We even have a non-Apple iPhone in Brazil — legally. Is is not possible someone could register a front company somewhere with a trusted trademark?
The mistake here is to use the same data for different purposes. Countries register companies to allow them to do business. It doesn’t matter too much if the data is not entirely accurate — they can find someone physically responsible. Bigger companies need government-registered accountants to sign their books. But a certificate doesn’t need a company that does business to exist.
Let’s stop looking at databases and start looking at people. To get a government-approved digital certificate in Brazil, you have to be physically present and sign actual papers with an actual pen, and show IDs. As long as we’re only using bits to trust bits, we’re only fooling ourselves. Thanks to identity theft, we still won’t prevent this from happening, but at least we’ll have something to investigate and someone to question; right now we have nothing, and if a security measure that’s supposed to identify people does not create any risk for the attacker, it failed.