Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to Name Game
Re: Adobe's code signing certificate has been stolen From your link:
"The three affected applications are Adobe Muse, Adobe Story AIR applications, and Acrobat.com desktop services."
Flash Player wasn't involved. That article is irrelevant as far as to why Adobe has allowed the code signing cert for the CURRENT Flash Player to lapse today.
OT but what is that weird address you used? If ANYBODY but YOU had posted shit like that I would not have gone there. Post a normal address please in the future.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
|
|
 StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2
 ·CenturyLink
| said by Mele20:From your link:
That article is irrelevant as far as to why Adobe has allowed the code signing cert for the CURRENT Flash Player to lapse today.
Agreed. As to why Adobe chose to use a soon-to-expire certificate--who knows. But as I showed above they use multiple certificates. Again I'm not sure why. Different divisions within the company perhaps. Or maybe they use randomly selected certificates to match their randomly generated programming 
--
Don't feed trolls--it only makes them grow! |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to Mele20
Trusted root certificates that are required by Windows 2000, by Windows XP, and by Windows Server 2003
Some certificates that are listed in the previous tables have expired. However, these certificates are necessary for backward compatibility. Even if there is an expired trusted root certificate, anything that was signed by using that certificate before the expiration date requires that the trusted root certificate be validated. As long as expired certificates are not revoked, they can be used to validate anything that was signed before their expiration.
For more information about how to remove root certificates from the store, click the following article number to view the article in the Microsoft Knowledge Base:
293819 How to remove a root certificate from the Trusted Root Store
»support.microsoft.com/kb/293781
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to StuartMW
Aside from Adobe's motives, or whatever with them, why does the Properties box claim the cert is "OK" when I downloaded Flash Player installer AFTER the expiration time today? The cert is NOT "OK" and that is a bit scary that the Properties box claims otherwise. 
As for Adobe using multiple certs with different expiration dates for the same Flash Player version that is crazy and certainly not of benefit to the user. (But then since when has Adobe been concerned with benefiting the user)?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| reply to Name Game
said by Name Game:As long as expired certificates are not revoked, they can be used to validate anything that was signed before their expiration.
Yup, but IMO it's bad practice to use a certificate that will expire within weeks. But as Blackbird  said that version of Flash would be stale/moldy by then anyway.
--
Don't feed trolls--it only makes them grow! |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
1 edit | reply to Mele20
said by Mele20:The cert is NOT "OK" and that is a bit scary that the Properties box claims otherwise.
I posted the explanation of that above. The message didn't say the cert was ok it said the signature was ok! They're different things.
cert ==> use to create digital signature
cert != digital signature
--
Don't feed trolls--it only makes them grow! |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7
3 edits | reply to Mele20
my cert for the google chrome adobe flash does not expire until dec 2012 as I recall.
It is a 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 which is a compromised cert... I could care less since we already know the files out there in the wild that used this cert and they certainly are not adobe stuff.. |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
1 edit | reply to Mele20
said by Mele20:As for Adobe using multiple certs with different expiration dates for the same Flash Player version that is crazy...
+100
--
Don't feed trolls--it only makes them grow! |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to Name Game
I figured it out. I didn't pay enough attention to the fact there is a countersigner to the Adobe digital signature that has expired. The countersigner is Symantec Time Stamping Countersigner and it doesn't expire until December 31, 2012.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7
1 edit | Purpose for that one is to attest the thing was signed with the current time.
The adobe cert purpose was to..
. Ensures software came from the software publisher
and
. Protects the software from alteration after publication |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| said by Name Game:The adobe cert purpose was to..
. Ensures software came from the software publisher
and
. Protects the software from alteration after publication
Exactly.
And to get back to the original topic the fact that a legitimate Adobe certificate was used to sign malware is important because
1) The package seems to originate from Adobe.
2) The package was not altered.
The whole point of digital signing is to show that the package is legitimate and can be trusted. If certs are stolen (as in the Microsoft case) or can be used for signing (Adobe case) they become useless IMO.
--
Don't feed trolls--it only makes them grow! |
|
 AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ
kudos:1 | said by StuartMW:The whole point of digital signing is to show that the package is legitimate and can be trusted. If certs are stolen (as in the Microsoft case) or can be used for signing (Adobe case) they become useless IMO.
only if revoked
--
--Standard disclaimers apply.-- |
|
