The myth of the safety of signed code

This is commonly accepted wisdom: When I download and install an application on my computer (any platform) it is a accepted wisdom that if the application is signed with a recognized and valid certificate, I am practicing safe download and my computer isn’t going to be damaged.


This belief is so entrenched that I will probably be labelled as “just doesn’t get it” by the cognecenti for saying that the emperor has no clothes. In many cases for most users, there’s no additional safety.


When users download an application that is not validly signed, they get various forms of ominous warnings about their computer being exposed to grave danger. So far so good.


However if the certificate is valid, the speed bump is removed, they are happily told that the application was signed by for example “Microsoft Corporation.” and if they trust Microsoft they can download in comfort.


That’s the myth. There’s the flaw. Why? Two reasons: first, many people use software from lesser known companies… Let’s say the message is “… if you trust software from Matrix Software in Madrid Spain” then you can download in comfort. Even if you think you know Matrix Software, you certainly don’t know whether in Madrid has other companies called Matrix Technology, or Matrix Inc., or Matrix Systems, each of which could be a malware producer.


Second, related reason: Let’s say the message is “… if you trust software from Sun in London, U.K. …” then you can download in comfort. How do you know if this is the Sun Microsystems that you thin it’s about?


The myth is promulgated every time a user is reminded that it’s dangerous to run unsigned or not validly certified software and that it’s perfectly safe to run certified software. As you can see, it’s pretty easy for a malware provider to sign their software with a valid certificate and get the help from the OS vendors in gaining undeserved trust from end users.


Why has no one called out this myth for what it is? The emperor has no clothes!

Posted on June 29, 2005 and filed under Technology.