Factorio binaries don't seem to be signed, so after every update I have to accept an orange admin right warning (win64).
Security and user experience could be improved with a cert.
Sign / get a certificate for the executables
Moderator: ickputzdirwech
Re: Sign / get a certificate for the executables
I have never understood the whole certification thing of executables at all.
It seems quite silly to me. Its not like one could not fake a certificate and add a trojan in the exe anyways.
It seems quite silly to me. Its not like one could not fake a certificate and add a trojan in the exe anyways.
- Deadly-Bagel
- Smart Inserter
- Posts: 1498
- Joined: Wed Jul 13, 2016 10:12 am
- Contact:
Re: Sign / get a certificate for the executables
"Faked" certificates aren't issued by a trusted authority so it's mostly pointless.
Money might be the root of all evil, but ignorance is the heart.
Re: Sign / get a certificate for the executables
So youre saying its possible to fake a certificate yet somehow impossible to fake the authority that supposedly signed the fake certificate?
- Deadly-Bagel
- Smart Inserter
- Posts: 1498
- Joined: Wed Jul 13, 2016 10:12 am
- Contact:
Re: Sign / get a certificate for the executables
Well yeah you can sign a certificate under whatever name you like but unless the encryption matches a trusted issuer your computer will highlight a problem.
For example, this example of a fake certificate by someone pretending their trojan is authentic clearly failed to match a trusted issuer and their encryption.
This is one of those things that probably initially had a lot of problems but has had ludicrous amounts of money thrown at it to make it uncrackable. Consider certificates are used by banks not only to ensure that their websites can't properly be forged, but also for their own servers internally so nobody can impersonate them so they need to be certain that you can't just copy or forge one.
I can't say for sure that it's impossible, but certainly incredibly difficult and I've never heard of it being done.
For example, this example of a fake certificate by someone pretending their trojan is authentic clearly failed to match a trusted issuer and their encryption.
This is one of those things that probably initially had a lot of problems but has had ludicrous amounts of money thrown at it to make it uncrackable. Consider certificates are used by banks not only to ensure that their websites can't properly be forged, but also for their own servers internally so nobody can impersonate them so they need to be certain that you can't just copy or forge one.
I can't say for sure that it's impossible, but certainly incredibly difficult and I've never heard of it being done.
Money might be the root of all evil, but ignorance is the heart.
Re: Sign / get a certificate for the executables
A signed executable means that the file has not been modified by a 3rd party. It also proves the identity of the signer, assuming that you have someone vouching for the identity of the signer.
A signature carries the implication of "I made this and I take responsibility for it".
A signature carries the implication of "I made this and I take responsibility for it".
Re: Sign / get a certificate for the executables
Its called web of trust.Mendel wrote:So youre saying its possible to fake a certificate yet somehow impossible to fake the authority that supposedly signed the fake certificate?
Every operating system has a list of root certificates- certificates held mainly by companies that specialize in data security and the like. These root certificates were then used to produce intermediate certificates, which are in turn chained together from provider to provider until you get to where an administrator requests a certificate to identify their website with or sign their executable with.
There are procedures to follow for verifying the identity of each link in the chain, and the more heavily validated a certificate is before being signed the more valuable it is.
Ultimately though, you cannot fake a properly signed certificate because all valid certificates interact with the web of trust such that they maintain traceability back to one or more root certificates.
However, it is possible to create your own root certificate and form your own chain of certificates based on it. This can result in fake certificates being bundled to authenticate malware, but they are ineffective and produce errors unless you first infect the target system with another malware that adds the attacker's own root certificate to the system's trusted certificate list.
Because of that, you would have to infect a system first by other means to be able to exploit the certificate chain for spreading malware. While not impossible, it kind of defeats the point of trying it- the system is already compromised why attack it again when you can just use what you've already done.
Or just be a system administrator who instead of buying certs for all of the enterprise's IoT hardware decided to create their own company-internal certificate authority, and thus had to install that company's root certificates into the trusted list on the workstations. Like so it becomes possible to make bogus certs for anything and the OS will always trust them because they trust the root certificate that it is chained to.
In my mind, Steam is the eternal king of the railway.