A response from micosoft. com: They do not consider certificate-revovation, that is not functioning, a security issue,
but see it as a normal Windows bug or a Thawte issue. Dutch Security Technician Bitwiper, who got this response then wrote in reply:
This is about code signing certificate revocation not working in Windows, either because of issues in Thawte's CRL file, or because of a bug in Windows.
In any case, how can this not be a _security_ bug?
What if the cybercriminals involved started signing and distributing backdoored UEFI drivers? Or seemingly legitimate Windows updates (for example on public WiFi by _replacing_ .cab files downloaded from Windows update servers via http) using this compromised Thawte certificate?
What when one is having a situation like this? Re:
https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.htmlWhat would be the point of authenticode or digital signatures in general if errors (private key compromises or certificates sold to malicious parties) cannot be undone?
When "trusted" does no longer really means "Trusted"? We all are food for the birds....
So we need an independent Foundation delivering Identity Services, but this is not only the technical side, it is also seeing to it cybercriminals and spooks cannot manipulate (DNS, make you download compromised downloads etc.).
Not an easy thing to do.
Certification Industry and Microsoft certainly created a predicament for users here or caused this situation to arise...
polonus (volunteer website security analyst and website error-hunter)