Digital certificates

I’ve been taking an interest in computer security recently, and as part of that I’ve been investigating digital certificates, primarily in the context of code signing (e.g. applications/macros/plugins).

There seem to be two main misconceptions here (at opposite ends of the scale), which are worth addressing:

1. “If something has been signed then it’s safe.”

2. “Just because something’s been signed, that’s no guarantee of safety, therefore signing is pointless, and it’s just a way for Microsoft to extort money from people while spreading FUD.” (FUD = Fear, Uncertainty, and Doubt.)

Continue reading “Digital certificates”