Expert Reaction On Pulse Secure VPN Users Can’t Login Due To Certificate Related Outage

Remote workers around the world have been unable to connect to Pulse Secure VPN devices after a code signing certificate used to digitally sign software components expired.

Subscribe
Notify of
guest
1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Eddie Glenn
Eddie Glenn , Senior Product Manager
InfoSec Expert
April 13, 2021 1:08 pm

<p>What happened with Pulse Secure VPNs is a pretty common code signing issue. The reality is that code signing is a complicated topic and a lot of developers don’t fully understand it which is how issues like this one can arise. As a result, code signing certificates expire, software stops running and users are upset. </p> <p> </p> <p>What happened in this situation is that the software that was used to run the VPN was checking the date of the code signing certificate, instead of the timestamping server. This is why it is a bug in the software, rather than an issue with a compromised certificate.</p> <p> </p> <p>By design, code signing certificates have short lifespans so they cannot be used indefinitely if they fall into the wrong hands. However, if a code signing certificate expires, then the software that was signed with it is no longer able to run. This is where code signing timestamp servers come into play. When one signs software, a timestamp from a reputable, public entity is also included. These timestamps indicate that the code signing certificate was valid at the time it was used to sign the code. When a code signing certificate and a timestamp are combined, a piece of software can be signed with a certificate that will expire in the near future, but the software will continue to be able to be executed far into the future because the timestamp server is still valid.</p>

Last edited 1 year ago by Eddie Glenn
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x