A recent open source blog post from Insikt suggests there is a small but growing market in counterfeit code-signing certificates. This raises further questions regarding the effectiveness of code-signing certificates in providing assurance to website users by establishing the identity of software authors and confirming that the software has not been corrupted or altered since its original distribution.
The NCSC Weekly Threat Report of 15th December 2017, highlighted that websites using SSL and HTTPS, signified by the padlock, are not inherently protected from attack. Malevolent actors can potentially compromise sites using HTTPS domains or obtain legitimate certificates for use on malicious websites.
Counterfeit certificates were first identified in 2015. They are advertised as being registered under legitimate corporations and supplied by known issuers. The early versions were expensive at approximately $1,000 but more recent standard certificates have been found for sale at $295.
The main benefit for malicious actors of the counterfeit certificates is that the certificates are highly effective in remaining undetected by antivirus software. However, as these certificates are thought to be created for each buyer individually, it seems likely that, at present, the majority of cyber criminals won’t use this technique.