Code Signing is Worthless

Code signing, the act of having a third party certify that compiled code doesn’t change, is basically worthless. It was intended to give users peace of mind that no one had tampered with the code that you plan to install on a computer. For instance, you want to install the latest version of iTunes? Apple has a signed version, and you can read the certificate which multiple external organizations will attest that yes, this is the same code that Apple compiled and submitted for verification. But anyone can compile an executable and name it iTunes.exe and get that code signed by a certificate authority, provided they are willing to pay for it. Sure, it might not come from Apple with an “l” but how about App1e with a “1?” Its still signed, so it must be safe, right?

Wrong. Malware authors today are using stolen credit cards and purchasing cheap code signing services from places like Comodo.com. They compile malware, get it code signed, and some organizations that trust signed code will allow such malware to install. Furthermore, Comodo will sign anything without scanning the code for malware, and they don’t even care if you are using someone else’s credit card.

Check out this email exchange I had with a Comodo sales guy named Randy today.

I asked Comodo some Qs about code signing. They don't scan, and make sure the CC isnt "stolen" pic.twitter.com/qqJN4EwqHJ

— Cyber Mad Hatter (@BelchSpeak) October 19, 2015

They wont scan the code to check for malware, but if someone later reports it as malware they might revoke the cert. I made the email sound like I was trying to be as shady as possible, wanting to “avoid trouble” and even told them about a “borrowed” credit card. Comodo’s reply? No problem!

If code signing is supposed to impart trust, and these certificate authorities are signing anything, then there simply is no trust. Therefore code signing is worthless.