Certificate Revocation of Signed Malware: The What, When & Why
In this post I discuss signed malware, revocation of certificates used for criminal purposes, and the tradeoffs CAs must face as they establish and enforce certificate practices.
In a recent Ask Slashdot thread a poster writes that Sectigo’s revocation of a certificate used to sign malware has disrupted legitimate business using applications signed by the same certificate. Now is a good time to discuss signed malware, revocation of certificates used for criminal purposes, and the tradeoffs CAs must face as they establish and enforce certificate practices.
Sectigo’s Certificate Practices Statement and license agreement allow the company to revoke any certificate that to our knowledge is being used for illegal or deceptive purposes. Furthermore, the CA/Browser Forum guidelines require such revocation. We believe that the ability to disable abused certificates is an important part of the public certificate ecosystem and that for the general good it is appropriate for a public CA to revoke such certificates upon discovery.
Note that it’s possible for the same certificate to be used for both appropriate and inappropriate purposes at precisely the same time; an outcome that can occur in multiple ways, including:
- A legitimate certificate private key is stolen by a cyber criminal
- An employee or contractor uses a legitimate certificate for inappropriate purposes without the company’s knowledge
- The company’s code, website, or other digital assets are infected with malware, cross-site scripting, or other attacks
In all the above scenarios, it is possible that the misuse of the certificate occurs without the intention or knowledge of the individual who ordered, and in principle is in charge of, the certificate. In fact, it’s even possible that the problem doesn’t owe itself to compromise of the certificate at all, but rather to an entirely different lapse in the certificate owner’s overall digital security.
To know when one of our Code Signing certificates is used for malware, we rely on credible third parties, including VirusTotal. We cannot depend on self-reporting by certificate owners because they may not know that their certificates or digital properties are compromised or may not be truthful with us. These third parties are the most reliable sources of information about Sectigo certificates used for malware.
As with all outside information sources, we pay attention to their reputation for quality. If the quality of an information source does not meet our standards, we can remove it as a source we trust. This kind of evaluation and updating is a continual part of operating as a public CA.
The original poster has also pointed out that Sectigo did not provide notification upon this revocation. We agree that this is a valid point, and we are reviewing our practices with an eye toward ensuring that we provide as much notification as we’re able to when revocation is needed.