What is a "broken digital signature", and is it a problem? If so, why?

what is a digital certificate

Helping people with computers. one answer at a time.

Digital signatures are used to confirm the integrity of things from web sites to software. I'll look at what it means when software signatures "break".

My (free version) AVG software is warning me of several "broken digital signature(s)" on my computer. Why are these a problem?

They may not be.

I've seen several people wondering about this error that apparently started with a recent update to AVG.

It's also possible that AVG is checking something new that most anti-malware programs don't check and discovering something - something that might be true, but still not necessarily a problem.

Digital Signatures

First, we need to understand just a little about exactly what a digital signature is.

In short, it's an encrypted block of data that accompanies some other kind of data that when decrypted confirms two things:

"This might sound a little familiar, as it's very similar to. an https secure connection."

the organization or person who created that other data is who they say they are

that other data has not been altered in any way since it was signed

The key technology used is called "public key encryption" - basically what is encrypted with one key of a specially created pair of keys can only be decrypted with the other. If you keep one of those private and the other public you can do things like validate the origin of signed data.

This might sound a little familiar, as it's very similar to (and often uses the same technology as) the encryption and verification that is performed when you use an https secure connection.

That'll be an important example in a moment as we look at what it means for a digital signature to "break".

Broken Digital Signature

"Break" is really the wrong term, but it's good enough to get the idea across. A digital signature doesn't really break; rather it fails to verify one of the things above, or fails to pass an additional test or two that might further confirm it's authenticity.

A digital signature can "break" in one of several ways:

the encrypted data fails to decrypt with the key that should match. This calls into question the authenticity of the signer.

the tests to confirm that the

signed data has not changed fails. This could mean that the data has been tampered with after it was signed.

the data used to confirm that the signature is correct, the certificate, is "too old" - more on this below.

the certificate has been explicitly revoked and is no longer considered valid.

By far the third is the most common when visiting web sites using https. If you see "There is a problem with this website's security certificate" nine times out of ten the web site has simply failed to renew their certificate before the current certificate expired. That's more of an annoyance than a real security problem.

Digital Signatures, Software and Anti-malware Tools

Just like a website's "this is who I am" information can be signed as part of the https protocol, software can also be signed. ".exe", ".dll" and other file types used for software can be signed for security.

As you might imagine, this could be a good thing: a broken signature might detect that an executable file has been tampered with, or that it came from someone other than it claims. Either way, both good signs of a potential virus or other malware activity.

Unfortunately, just like https web sites, the most common cause for broken digital signatures in executables is. out of date certificates. Rarely, if ever, is an out of data certificate a serious cause for alarm.

And yet, the anti-virus programs seem to be reporting these types of failures as equivalent in terms of threat.

They aren't.

Dealing With Broken Digital Signatures

Honestly, if no other errors are reported at the time, I'd be tempted to ignore broken digital signatures for the time being. While they've been around for a little while, there's been little penalty for getting them right. AVG, and hopefully other anti-malware manufactures will slowly start adding support for checking them, which in turn will motivate vendors to both use them, and make sure that they're used correctly.

One thing you can do - and this is, in part, an educated guess - is to make sure that you don't have any root certificate updates waiting in Windows Update. It's possible that depending on the exact nature of the certificates being used to validate digital signatures out of date root certificates could lead to the problem at hand.

Source: ask-leo.com

Category: Insurance

Similar articles: