Sign / get a certificate for the executables

Post your ideas and suggestions how to improve the game.
Post Reply
Quurks
Manual Inserter
Manual Inserter
Posts: 1
Joined: Tue Sep 20, 2016 8:02 pm
Contact:

Sign / get a certificate for the executables

Post by Quurks »

Factorio binaries don't seem to be signed, so after every update I have to accept an orange admin right warning (win64).

Security and user experience could be improved with a cert.

Mendel
Filter Inserter
Filter Inserter
Posts: 255
Joined: Mon Aug 17, 2015 1:51 pm
Contact:

Re: Sign / get a certificate for the executables

Post by Mendel »

I have never understood the whole certification thing of executables at all.
It seems quite silly to me. Its not like one could not fake a certificate and add a trojan in the exe anyways.

User avatar
Deadly-Bagel
Smart Inserter
Smart Inserter
Posts: 1497
Joined: Wed Jul 13, 2016 10:12 am
Contact:

Re: Sign / get a certificate for the executables

Post by Deadly-Bagel »

"Faked" certificates aren't issued by a trusted authority so it's mostly pointless.
Money might be the root of all evil, but ignorance is the heart.

Mendel
Filter Inserter
Filter Inserter
Posts: 255
Joined: Mon Aug 17, 2015 1:51 pm
Contact:

Re: Sign / get a certificate for the executables

Post by Mendel »

So youre saying its possible to fake a certificate yet somehow impossible to fake the authority that supposedly signed the fake certificate?

User avatar
Deadly-Bagel
Smart Inserter
Smart Inserter
Posts: 1497
Joined: Wed Jul 13, 2016 10:12 am
Contact:

Re: Sign / get a certificate for the executables

Post by Deadly-Bagel »

Well yeah you can sign a certificate under whatever name you like but unless the encryption matches a trusted issuer your computer will highlight a problem.

For example, this example of a fake certificate by someone pretending their trojan is authentic clearly failed to match a trusted issuer and their encryption.

This is one of those things that probably initially had a lot of problems but has had ludicrous amounts of money thrown at it to make it uncrackable. Consider certificates are used by banks not only to ensure that their websites can't properly be forged, but also for their own servers internally so nobody can impersonate them so they need to be certain that you can't just copy or forge one.

I can't say for sure that it's impossible, but certainly incredibly difficult and I've never heard of it being done.
Money might be the root of all evil, but ignorance is the heart.

henke37
Long Handed Inserter
Long Handed Inserter
Posts: 89
Joined: Mon Jul 18, 2016 5:43 pm
Contact:

Re: Sign / get a certificate for the executables

Post by henke37 »

A signed executable means that the file has not been modified by a 3rd party. It also proves the identity of the signer, assuming that you have someone vouching for the identity of the signer.

A signature carries the implication of "I made this and I take responsibility for it".

User avatar
OdinYggd
Fast Inserter
Fast Inserter
Posts: 200
Joined: Wed May 25, 2016 12:55 pm
Contact:

Re: Sign / get a certificate for the executables

Post by OdinYggd »

Mendel wrote:So youre saying its possible to fake a certificate yet somehow impossible to fake the authority that supposedly signed the fake certificate?
Its called web of trust.

Every operating system has a list of root certificates- certificates held mainly by companies that specialize in data security and the like. These root certificates were then used to produce intermediate certificates, which are in turn chained together from provider to provider until you get to where an administrator requests a certificate to identify their website with or sign their executable with.

There are procedures to follow for verifying the identity of each link in the chain, and the more heavily validated a certificate is before being signed the more valuable it is.

Ultimately though, you cannot fake a properly signed certificate because all valid certificates interact with the web of trust such that they maintain traceability back to one or more root certificates.

However, it is possible to create your own root certificate and form your own chain of certificates based on it. This can result in fake certificates being bundled to authenticate malware, but they are ineffective and produce errors unless you first infect the target system with another malware that adds the attacker's own root certificate to the system's trusted certificate list.

Because of that, you would have to infect a system first by other means to be able to exploit the certificate chain for spreading malware. While not impossible, it kind of defeats the point of trying it- the system is already compromised why attack it again when you can just use what you've already done.

Or just be a system administrator who instead of buying certs for all of the enterprise's IoT hardware decided to create their own company-internal certificate authority, and thus had to install that company's root certificates into the trusted list on the workstations. Like so it becomes possible to make bogus certs for anything and the OS will always trust them because they trust the root certificate that it is chained to.
In my mind, Steam is the eternal king of the railway.

Post Reply

Return to “Ideas and Suggestions”

Who is online

Users browsing this forum: No registered users