Remote workers around the world have been unable to connect to Pulse Secure VPN devices after a code signing certificate used to digitally sign software components expired.
<p>What happened with Pulse Secure VPNs is a pretty common code signing issue. The reality is that code signing is a complicated topic and a lot of developers don’t fully understand it which is how issues like this one can arise. As a result, code signing certificates expire, software stops running and users are upset. </p> <p> </p> <p>What happened in this situation is that the software that was used to run the VPN was checking the date of the code signing certificate, instead of the timestamping server. This is why it is a bug in the software, rather than an issue with a compromised certificate.</p> <p> </p> <p>By design, code signing certificates have short lifespans so they cannot be used indefinitely if they fall into the wrong hands. However, if a code signing certificate expires, then the software that was signed with it is no longer able to run. This is where code signing timestamp servers come into play. When one signs software, a timestamp from a reputable, public entity is also included. These timestamps indicate that the code signing certificate was valid at the time it was used to sign the code. When a code signing certificate and a timestamp are combined, a piece of software can be signed with a certificate that will expire in the near future, but the software will continue to be able to be executed far into the future because the timestamp server is still valid.</p>
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics