Submission + - Asking slashdot: How do you deal with blow from Certificate authority? 4
rastos1 writes: I work for a mid-size software company that develops CAD-CAM software for textile industry for many decades. Last weekend Sectigo (formerly known as COMODO until late 2018) revoked code signing certificate that our company bought in the beginning of 2018 from Sectigo reseller and used to sign all our SW products. On Monday morning we woke up to phones ringing from confused customers unable to launch our software. This has hit mostly Java applications launched from a web page because JRE checks the signature by default using OCSP. But also traditional executables and shared libraries would report invalid signature upon checking. We reached to Sectigo but for half a day we could not get any feedback. Later we got information that some malware was signed with our certificate. 2 days, many e-mails and phone calls later we understand that this is what happened: someone submitted one of our executables to virustotal.com — site that runs ~70 antivirus programs on submitted files and reports back whether they flag the uploaded file. 5 of antivirus packages flagged our executable. We tracked down the version and we positively know it was a false positive. There is random guy that wrote a tool that creates a monthly report of files flagged at Virustotal. Sectigo found the report, and, according to their statement, revoked all certificates used to sign executables flagged by some antivirus causing major disruption to us and downtime for our customers. We buy certificates from COMODO/Sectigo for more than a decade, but there was no attempt to contact us and clarify the situation.
How do you prepare and deal with such scenario? Did you know how little it takes to get your certificate revoked?
How do you prepare and deal with such scenario? Did you know how little it takes to get your certificate revoked?
