SPONSOR INTERVIEW: Paul Ducklin on code signing cert pinning

How far do decent crypto controls get us?
23 May 2013 » Risky Business Extra, AusCERT

In this sponsor interview we chat with Paul Ducklin of Sophos about trends in code signing technology designed to combat malware.

During the great "SSL wars" of 2011, when hackers like Comodohacker went cyber-berserk owning CAs and minting their own certificates for sites like Gmail and Facebook, valuable lessons were learned. It's becoming the norm for browsers to pin certs for well known websites... and now this same approach to certificate sanity checking is finding its way into code signing checks.

Microsoft's latest EMET, version 4.0 which I think is still in Beta, will pin certs for signed applications. It's a good idea -- it makes life a little tougher for the bad guys, but as you'll hear, it's not going to kick the can THAT far down the road, as Paul Ducklin explains.