Code-Signing Certificate Lifetimes Shortened, Consolidating Power - Episode Hero Image

Code-Signing Certificate Lifetimes Shortened, Consolidating Power

Security Now (Audio) · · Listen to Original Episode →
Original Title:

TL;DR

  • Code-signing certificate lifetimes have been drastically reduced from 39 months to 15 months, increasing costs and administrative burden for developers without demonstrably improving security against malicious actors.
  • The CA Browser Forum's decision to shorten code-signing certificate lifetimes, driven by certificate issuers, appears to be a move towards a subscription-based cloud-signing model, potentially consolidating power and increasing costs.
  • Publicly accessible MongoDB instances, numbering around 87,000, remain vulnerable to the "MongoBleed" exploit, allowing unauthenticated attackers to exfiltrate sensitive memory data due to a long-standing flaw in message decompression.
  • New York City's mayoral inauguration banned specific devices like Raspberry Pi and Flipper Zero, indicating a shift towards device-specific prohibitions rather than addressing underlying behaviors or capabilities, creating ambiguity and potentially stifling innovation.
  • OpenAI is reportedly exploring advertising models for ChatGPT, potentially integrating sponsored content into responses, which raises concerns about skewed results and user trust, despite the company's current financial losses.
  • The upcoming hardware-accelerated BitLocker in Windows 11 promises to mitigate the significant performance penalty on NVMe drives caused by software-based encryption, but this benefit is not yet available on current hardware.
  • The Python Package Index (PyPI) is strengthening its security by requiring email verification for TOTP-based logins, aiming to mitigate account takeovers and the spread of malware through compromised developer accounts.

Deep Dive

The latest episode of Security Now reveals a critical shift in software security paradigms, driven by increasingly restrictive code-signing policies and a consolidation of certificate authorities. This consolidation creates a "cabal" that leverages shortened certificate lifetimes and cloud-based signing services to establish subscription-based models, effectively increasing costs and diminishing user control. The implications extend beyond mere inconvenience, posing systemic risks to software integrity and personal computing freedom by prioritizing profit and control over genuine security enhancements.

The core of this shift lies in the CA Browser Forum's decision to drastically shorten code-signing certificate lifetimes from 39 months to 15 months, effective March 1st, 2026. This change, driven by certificate issuers rather than browser developers, is presented as a security measure, yet it directly contradicts the security advancements made two and a half years prior that mandated hardware security modules (HSMs) for code-signing private keys, effectively eliminating remote theft. The shortened lifetimes, therefore, offer no demonstrable security benefit against theft but do necessitate more frequent renewals, thereby increasing recurring costs for software developers.

This move is compounded by the rise of cloud-based code signing services. These services, while offering convenience by managing private keys remotely, introduce a significant security trade-off. Users entrust their private keys to a third-party provider, creating a single point of failure and a more attractive target for attackers. Furthermore, this model incentivizes a subscription-based revenue stream for certificate authorities, leading to a consolidation of power among a few major providers who can dictate terms and prices. This consolidation, coupled with the inherent need for developers to have signed code to run on modern operating systems like Windows, creates a captive market where developers are compelled to pay an annual "tribute" for the privilege of distributing their software.

The second-order implications of these trends are profound. For individual developers and smaller organizations, the increased cost of code signing certificates and the shift to subscription models can become prohibitive, potentially stifling innovation and discouraging the creation of freeware or charityware. For users, the reliance on a shrinking number of trusted signers means that any compromise within this select group could have widespread consequences. Moreover, the increasing inability for individuals to run their own software on their own machines, exemplified by Windows 11's Smart App Control that cannot be easily disabled, signifies a loss of personal computing freedom. This trend suggests a future where only software vetted and signed by a small, powerful consortium will be trusted, fundamentally altering the landscape of personal computing and potentially creating a tiered system where access to software is dictated by financial capacity rather than technical merit.

The episode also touches upon other significant security and technological developments. The "MongoBleed" vulnerability (CVE-2025-14847) highlights a critical flaw in MongoDB that allows unauthenticated memory leakage, affecting all versions since 3.6. This flaw, present for over eight years, underscores the risks of publicly exposing database instances and the persistent issue of trusting user-provided input in software development. Additionally, the discussion on BitLocker's upcoming hardware acceleration in Windows 11 brings to light the performance overhead of software-based encryption on NVMe drives, while also pointing out that this feature is not yet available, requiring new hardware for its implementation. Finally, the potential for ChatGPT to incorporate advertising into its responses raises concerns about user privacy and the integrity of AI-generated information, mirroring past shifts observed in search engine business models.

The overarching takeaway is that the software security ecosystem is undergoing a significant transformation, driven by economic incentives and a consolidation of control rather than purely by security imperatives. This shift threatens to increase costs for developers, limit user freedom, and concentrate power in the hands of a few entities, necessitating a critical re-evaluation of how software is signed, distributed, and trusted.

Action Items

  • Audit 10 publicly exposed MongoDB instances for unnecessary public access and implement network segmentation to restrict access to internal networks.
  • Implement enhanced two-factor authentication for all Python Package Index (PyPI) accounts, requiring email verification for TOTP logins to mitigate phishing risks.
  • Evaluate current code signing certificate renewal processes and secure 39-month certificates before the March 1st deadline to defer increased costs and management overhead.
  • Design a system for tracking and analyzing the impact of security vulnerabilities on software quality and user trust, focusing on root causes rather than individual bug fixes.

Key Quotes

"We're beginning to see I'll be talking about another reduction in certificate length which has no justification and and this new feature saps smart app or sac smart app control that landed in windows 11 which cannot be turned off where you can't allow apps you trust or exceptions all of Microsoft's stuff has until now all of the windows defender you could say okay fine I want to dedicate this directory to things that you don't bother me about that's going away so so and users are being increasingly inconvenienced in the same way and for the same reason that we can't build light rail in California it's you know it's like it's diminishing returns it's the belief that we can apply our fancy technology to solve problems that where the where the presence of that technology creates a bigger problem than what it is trying to solve and and I we I think this is the year where we're going to begin to see I mean we're the signs have been there and we've been reporting this until now I think it's going to mature unfortunately like this year and next where things are going to be are becoming increasingly constrained in a in a mistaken belief that we're going to be able to fix this just by being more tricky by applying technology to where mistakes we're not really fixing mistakes much and the human factor is still there anyway"

Steve Gibson expresses concern about a trend of increasing restrictions and inconveniences in software and technology, likening it to over-regulation hindering progress. He argues that these measures, often presented as security enhancements, may create more problems than they solve and that the human element remains a significant factor in security failures. Gibson suggests this trend will likely intensify in the coming years.

"Nevertheless the certificate authorities have voted and decided that even safely stored code signing certificates must be renewed now much more frequently so I understand why this happened with TLS certificates because of issues with revocation right but there's nothing like that for code certificates right no no you could you know if so and and this is another part of the annoyance it's not as if this is actually going to prevent maliciously signed malware you're going to get companies posing as as reputable software publishers who obtain a code signing certificate and and establish a reputation very much the same way that that people who run forums see people creating accounts that are dormant for a while in order to sort of slip under the radar and then they start getting up to some mischief downstream at some point same thing's happening here so it's not like this actually solves a problem you can still have valid code signing certificates issued to malicious entities because the validation process is cannot be perfect because it's again it's the human factor which is where all of our security ultimately fails whether it's humans writing code that has bugs or humans saying you know are you really you know Steve Gibson"

Steve Gibson highlights the decision by the CA/Browser Forum to shorten code signing certificate lifetimes, questioning its necessity and effectiveness. He points out that even with securely stored certificates, malicious actors can still obtain them and that this change does not prevent the issuance of valid certificates to malicious entities, suggesting the validation process remains imperfect due to the human factor.

"The problem is this is still an imperfect system bugs in signed software are no less prevalent than in unsigned software so signing offers no guarantee about software quality and bad guys are just as able to exploit bugs in signed as in unsigned software but it is certainly worthwhile to require a signature rather than not if nothing else something somewhere is known by someone about the signer of the software there's at least some modicum of accountability and traceability so I can see that you know that it's not a bad thing and if a piece of signed software is discovered to be malicious then its signing certificate can be immediately blacklisted and is so that nothing else signed by that presumably malicious certificate will be trusted"

Steve Gibson acknowledges that code signing, while imperfect, offers a degree of accountability and traceability. He explains that while it does not guarantee software quality or prevent bugs, it is still valuable because it allows for the blacklisting of malicious certificates if discovered, thereby preventing further trust in software signed by that certificate.

"The critical flaw is that once mongodb has finished decompressing it never checks the actual resulting size of the newly decompressed payload it trusts the data the user provided using that as the actual size of the payload now I need to stop here to hover over that phrase a bit longer that phrase being it trusts the data the user provided if we were to produce a list of the root causes behind many of the worst flaws that we that that have been found in software trusting user provided input would definitely be right up there near the top if not perhaps in first place since even buffer overflows typically result from the similar mistake of trusting and using something that a malicious user deliberately provided in this case we have a deliberate buffer underflow that results entirely from trusting input from the user"

Steve Gibson identifies the core of the "MongoBleed" vulnerability as the database's failure to validate the actual size of decompressed data against the claimed size. He emphasizes that this trust in user-provided input is a fundamental flaw, a recurring root cause in many software vulnerabilities, leading to a buffer underflow where the system does not properly check the decompressed payload's size.

"The result of the bug is that multiple megabytes of the server's raw internal data can be exfiltrated to the attacker this data might and often does contain clear text passwords and credentials session tokens api keys customer data database configurations system info docker paths and client ip addresses and so on in short all of the internal operations of the server that would otherwise never be made available to anyone whether they had authenticated and were legitimate user or not"

Steve Gibson explains the direct consequence of the MongoBleed vulnerability, which is the exfiltration of sensitive server data. He details that this leaked information can include plain text passwords, API keys, customer data, and configuration details, effectively exposing internal server operations that should remain private, regardless of user authentication status.

"My question is why was even a single instance of mongodb publicly exposed i'm sitting here right now as i talk to leo and our audience in southern california from my location here i have access to any and all of those 87 000 some instances of mongodb why why do i have access why can i send out a tcp syn packet to port 27017 of any to any of those 87 000 ips and promptly receive a tcp syn ack packet inviting me to complete the tcp handshake connection i have no need to ever do so whoever runs that mongodb instance certainly doesn't want or expect me sitting here in southern california to be able to connect to their database server but i can why by now i hope that everyone in this podcast's audience understands not only that this is wrong but just how wrong it is"

Steve Gibson expresses strong disapproval of publicly exposing MongoDB instances, questioning the rationale behind such configurations. He highlights his ability to connect to thousands of these servers from his location, emphasizing that this access is unnecessary and unintended, underscoring the severity of the security lapse.

Resources

External Resources

Books

  • "The Magnesium Miracle" by Carolyn Dean, MD, ND - Mentioned as a foundational text for understanding magnesium's importance and deficiency.

Articles & Papers

  • "Why Your Vitamin D Supplements Might Not Be Working" (Science Daily) - Discussed as a piece linking vitamin D effectiveness to magnesium levels.
  • "ChatGPT could prioritize sponsored content as part of ad strategy" (Tom's Hardware) - Referenced for reporting on OpenAI's potential ad integration in ChatGPT.
  • "Netfix's best new show has a 100 Rotten Tomatoes score but there's a catch" (Forbes) - Cited for its description of "The Lazarus Project."

People

  • Carolyn Dean, MD, ND - Author of "The Magnesium Miracle."
  • Martha Shrubsole - Research Professor of Medicine at Vanderbilt Ingram Cancer Center, co-author of a study on magnesium and vitamin D.
  • Kevin Beaumont - Security researcher who posted about the MongoBleed exploit.
  • Tom Kreitz - Listener who sent a link about vitamin D and magnesium.

Organizations & Institutions

  • Vanderbilt Ingram Cancer Center - Conducted a study on magnesium and vitamin D.
  • American Journal of Clinical Nutrition - Published findings on magnesium and vitamin D.
  • CA/Browser Forum - Voted to reduce the maximum lifetime of code signing certificates.
  • OpenAI - Company developing ChatGPT, exploring ad integration.
  • Python Package Index (PyPI) - Announced security enhancements and new features.
  • Microsoft - Discussed for BitLocker hardware acceleration in Windows 11.
  • Intel - Unveiled new processors with support for hardware accelerated BitLocker.
  • Albion Minerals - Nutritional chemists who developed a method for mineral supplementation absorption.
  • GRC (Gibson Research Corporation) - Steve Gibson's company website.
  • Adafruit - Website that published the prohibited items list for the NYC inauguration.
  • Netflix - Streaming service where "The Lazarus Project" is available.
  • Apple TV - Platform where "The Lazarus Project" Season 2 is available for purchase.
  • Amazon Prime Video - Platform where "The Lazarus Project" Season 2 is available.
  • Forbes - Publication that reported on "The Lazarus Project."
  • Rotten Tomatoes - Review aggregator with a perfect score for "The Lazarus Project."
  • IMDb - Review aggregator with a lower rating for "The Lazarus Project."
  • Bafta (British Academy of Film Awards) - Nominated "The Lazarus Project."
  • Censys - Internet scanning company that identified publicly reachable MongoDB instances.
  • Elastic Security - Posted an exploit for CVE-2025-14847 (MongoBleed).
  • Ox Security - Blog that published technical details on the MongoBleed exploit.

Websites & Online Resources

  • grc.com - Steve Gibson's website containing software, show notes, and transcripts.
  • twit.tv/clubtwit - Website for supporting the TWiT network.
  • stitchfix.com/spotify - Website for Stitch Fix personal styling service.
  • meter.com/securitynow - Website for Meter networking solutions.
  • threatlocker.com/twit - Website for ThreatLocker zero trust platform.
  • bitwarden.com/twit - Website for Bitwarden password manager.
  • material.security - Website for Material cloud workspace security platform.
  • twit.tv/sn - TWiT's Security Now page.
  • youtube.com/securitynow - Dedicated YouTube channel for Security Now.

Other Resources

  • MongoBleed (CVE-2025-14847) - A vulnerability in MongoDB allowing memory exfiltration.
  • Heartbleed - A past vulnerability in OpenSSL that leaked server memory.
  • BitLocker - Microsoft's whole drive encryption system.
  • Hardware Accelerated BitLocker - Upcoming feature in Windows 11 for faster encryption/decryption.
  • NVMe (Non-Volatile Memory Express) - A high-speed storage interface.
  • SSPL (Server Side Public License) - License used by MongoDB for future releases.
  • AGPL (Affero General Public License) - Previous license used by MongoDB.
  • ACME protocols - Protocols used for automating certificate management.
  • Zero Trust - A security framework.
  • The Lazarus Project - A British time travel television series.
  • Magnesium - A mineral discussed for its role in vitamin D regulation and overall health.
  • Vitamin D - A vitamin discussed in relation to magnesium levels.
  • Smart App Control (SAC) - A feature in Windows 11 that cannot be turned off.
  • Code Signing Certificates - Certificates used to verify the authenticity of software.
  • TLS Certificates - Certificates used for secure communication over the internet.
  • Two-Factor Authentication (2FA) - A security method requiring two forms of verification.
  • Time-Based One-Time Passwords (TOTP) - A type of 2FA.
  • BSON (Binary JSON) - A binary-encoded serialization of JSON-like documents.
  • Zlib Compression - A data compression algorithm.
  • Buffer Underflow - A type of memory error.
  • First Pass Hepatic Metabolism - The process by which the liver metabolizes substances.
  • Dipeptide - A molecule formed by two amino acids.
  • Magnesium Glycinate/Bisglycinate - Forms of magnesium bound to amino acids.
  • Magnesium Citrate - A form of magnesium.
  • Magnesium Oxide - A poorly absorbed form of magnesium, often used as a laxative.
  • Magnesium L-Threonate - A form of magnesium that can cross the blood-brain barrier.
  • Spinrite - A mass storage maintenance and recovery utility.
  • DNS Benchmark - A tool for testing DNS performance.
  • TrueCrypt - An older whole disk encryption software.
  • Passkeys - A passwordless authentication method.
  • AI User Group - A monthly program on TWiT.

---
Handpicked links, AI-assisted summaries. Human judgment, machine efficiency.
This content is a personally curated review and synopsis derived from the original podcast episode.