zlacker

[return to "Leaked stolen Nvidia cert can sign Windows malware"]
1. pintxo+k8[view] [source] 2022-03-05 11:26:02
>>Zuider+(OP)
If a corp like Nvidia cannot manage to store Code signing certs on hardware only, the whole process is broken beyond repair. What’s the value of signed code going forward?
◧◩
2. Genbox+9f[view] [source] 2022-03-05 12:27:22
>>pintxo+k8
There is a hint of frequency illusion here. Millions of code signing certificates are stored securely on hardware devices or by other means. A leak of a private key every now and then does not negate the security of the entire ecosystem.
◧◩◪
3. pintxo+Nj[view] [source] 2022-03-05 13:08:32
>>Genbox+9f
Is there any proof that most others store their certificates on hardware?
◧◩◪◨
4. Genbox+Kv[view] [source] 2022-03-05 14:40:14
>>pintxo+Nj
What gruez said is correct. Hardware token have been mandated for EV certificates for a long time by providers to prevent leaks.

I'll also add that Amazon Key Management Service, Azure Key Vault, and Google Key Management Service store several hundred million private keys combined with no leaks so far (they are non-exportable and access is audited)

It is very rare that we see malware signed by a publisher's certificate, which is why it is in the news every time it happens.

◧◩◪◨⬒
5. hulitu+PB3[view] [source] 2022-03-06 18:39:02
>>Genbox+Kv
No leaks does not imply security.
[go to top]