Comment by RandomGerm4n

13 hours ago

That's especially ridiculous because this whole security mechanism that Microsoft is forcing on Windows user doesn't even work. There are tons of leaked certificates and on forums dedicated to game hacking you can find guides on how to get your hands on one yourself. People there use them to write kernel drivers for cheating in games. Game developers often blacklist these in their anti-cheat software so that the game no longer launches on a computer using a driver with that certificate. Microsoft however does not do this and malware developers can then simply use the certificates for their own purposes. So all this nonsense is basically just a restriction on regular users and honest developers while the “bad guys” can get around it.

4 comments

RandomGerm4n

Deathmax 6 hours ago

Microsoft has been taking steps to mitigate the leaked code signing certificate problem.

On the driver side of things, new versions of Windows no longer trust the cross-signed certs, so you must submit your driver to Microsoft to validate and sign, so no private key to go missing. https://techcommunity.microsoft.com/blog/windows-itpro-blog/...

On the regular Authenticode side of things, the new CA/B Forum rules have prohibited storing new private keys outside of hardware modules for a while now, so eventually you won't be able to find a leaked private key for code signing that would still be valid.

redox99 10 hours ago

That's kind of crazy. Why doesn't Microsoft revoke such certs such that you can't sign new software with it?

steve1977 9 hours ago

Because it's mostly just performative.

vaginaphobic 12 hours ago

[dead]