Sneaking in a defect into large source control happens, and if you can, and you are patient, that defect will ultimately get signed. It’s very unlikely this is quicker than using zero days but it is possible to do.
It's happened at Adobe multiple times, as well as Debian and Red Hat. It only happened at DigiNotar once, but you use that example, no? 
-
-
Adobe isn’t a os or hardware platform and Authenticode is shit (saying that as the ex PM for it) the os and boot loader code signing processes are not p12s stored in source control.
-
I agree, but it's good enough to defeat FDE today, right?
- 18 more replies
New conversation -
-
-
CA compromise is far more common that Diginotar; it’s only the case that ended up as front page with research papers. But comparing Authenticode key compromise to os signing infra compromise is
to
. -
I don't know if CA compromise is more common than build server compromise, I think it might be close. I agree it's different, but the point is both would be good enough to defeat FDE, do we agree on that?
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.