zlacker

[return to "Leaked stolen Nvidia cert can sign Windows malware"]
1. pintxo+k8[view] [source] 2022-03-05 11:26:02
>>Zuider+(OP)
If a corp like Nvidia cannot manage to store Code signing certs on hardware only, the whole process is broken beyond repair. What’s the value of signed code going forward?
◧◩
2. Genbox+9f[view] [source] 2022-03-05 12:27:22
>>pintxo+k8
There is a hint of frequency illusion here. Millions of code signing certificates are stored securely on hardware devices or by other means. A leak of a private key every now and then does not negate the security of the entire ecosystem.
◧◩◪
3. pintxo+Nj[view] [source] 2022-03-05 13:08:32
>>Genbox+9f
Is there any proof that most others store their certificates on hardware?
◧◩◪◨
4. gruez+Mu[view] [source] 2022-03-05 14:32:21
>>pintxo+Nj
Hardware tokens are mandated for EV code signing certificates[1], but not for regular certificates. However, the certificate was from a while ago so that requirement probably wasn't a thing back then.

[1] https://www.digicert.com/signing/code-signing-certificates "REQUIRES TWO-FACTOR AUTHENTICATION USING HARDWARE TOKEN"

[go to top]