Hackers Steal Opera-Signed Certificate Through Infrastructure Attack 104
wiredmikey writes "Norwegian browser maker Opera Software has confirmed that a targeted internal network infrastructure attack led to the theft of a code signing certificate that was used to sign malware. 'The current evidence suggests a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser,' Opera warned in a brief advisory. The Opera breach signals a growing shift by organized hacking groups to target the internal infrastructure network at big companies that provide client side software to millions of end users."
Re:The certificate crowd is proven wrong yet again (Score:4, Informative)
The problem is that implementations that are checking the certificate are not requiring third party authenticated signing timestamps.
If the implementations checking certificates required a trusted root signed timestamp with the digital signature in any of those implementations, then expired certificates would be useless.
Certificates can be compromised, but they are far better than passwords people use.
There has yet to be an actual problem with certificates, just bad implementations.
I would love for you to point me at some software that has never had any implementation faults.