
Information on the revocation of WinRAR 5.91 digital certificate - Bastich
https://www.rarlab.com/revoked591.html
======
pimterry
> We think that revoking certificates based on questionable data discredits
> the certification system.

It's hard to dispute this imo. There are many good reasons certificates should
be revoked, but the reasoning should be 100% public information, for both the
vendor and users who may have trusted the original certificate.

I'm building a desktop app, and the process to even get a certificate is
absurd. Each CA has their own wildly different processes, and seemingly
answers to nobody. I changed cert providers recently after Digicert suddenly
raised their prices 400% on a whim, and it took a huge number of changing
requirements, phone calls, 3rd parties, and over a month to receive the new
one, despite already having an existing verified & still-valid signing
certificate with all those details from an equally legitimate provider.

I'd kill to see a modern service a la Let's Encrypt but for code signing.
Something transparent, reliable, fast & trusted cross-platform (I can dream).
Verifying identity is a hard problem, but it's really not _that_ hard a
problem - there's plenty of fintech services that can reliably do sufficient
KYC for banking in 5 minutes with a few id details and video call.

~~~
MadVikingGod
Let's Encrypt's argument for why all the fancy features that CA's offered
boiled down to "These are more complicated ways of proving that you own a
domain". So by automating the verification of ownership of a domain you could
essentially run a CA for pennies per certificate, and give them out for free.

Looking at application development I think a similar thing could be done, but
what would we pin identity to? I don't know if there is one thing that every
app has like a website.

~~~
benlivengood
> Looking at application development I think a similar thing could be done,
> but what would we pin identity to?

How about domain name?

Whenever I install (Windows) software I rarely care about the mailing address
or D.B.A. name; I look at the website address listed.

~~~
gruez
A domain name costs less than a dollar. A DBA or real-life identity cost
significantly more. In addition, if I'm getting my software over the internet
(99.99% of the cases), I'm already verifying the domain name via the browser
(via tls), so it's not adding any additional security. If the server was
hacked, the attacker can mint himself a new certificate and you won't be able
to tell.

~~~
benlivengood
microsoft.com or debian.org would cost a lot more than $1 and I would trust
signed or unsigned software downloaded from either a lot more than from a
random domain name. Code-signing definitely adds the benefit of offline key
management; there is less risk of signing keys being stolen than TLS keys. But
the valuation of trust is rooted in the domain; if Debian has to revoke all
their keys for some reason I'll trust debian.org over any other source for re-
establishing a root of trust unless a significant fraction of the Internet and
mailing lists are crying foul, and even then I would probably wait for control
of debian.org to be settled before trusting any Debian repositories.

I still think that demonstrated control of a domain is sufficient for
verifying a code-signing identity, even automatically like LetsEncrypt does
for TLS.

------
akersten
> another explanation, i.e. that one reason for the revocation is some
> mysterious 570 MB executable file, which had been signed with our
> certificate but looked like a file used by hackers.

Woah, talk about burying the lede? This sentence makes it sound like their
private key was compromised, in which case it makes total sense to revoke the
cert. Unless I'm misunderstanding what they're trying to say here.

~~~
skymt
You are misunderstanding. WinRAR's implication is that the CA is lying about
the 570 MB file because they didn't mention it until WinRAR challenged them on
the VirusTotal justification for revocation, and because they were unable to
provide the file in question or any evidence that it exists.

~~~
londons_explore
Why not at least link to the virustotal listing for said file? Perhaps someone
else has it from the hash?

I doubt the CA would lie about the existence of such a file, although perhaps
they are mistaken about the signature (it could be a case of a 570 MB file
concatenated with a legitimately signed winrar executable - signatures don't
always cover all parts of the file)

~~~
tgsovlerkhgsel
It seems unlikely it's on VT:

1\. VT has an upload limit of 128 MB. (Maybe the private API allows more, not
sure.)

2\. VT allows sample download if you have a VT Intelligence account - so if
this was a file shared with VT, the CA should be able to provide the file.

------
cm2187
I would have incremented the version number so the likes of Chocolatey would
pick it up and replace the version installed with a revoked certificate as
part of a regular update.

~~~
toast0
I agree; the .exe is different (because the signature/certificate is
embedded), so it should be a different version number.

------
xacky
With both Windows and MacOS both putting scary warnings and hard to bypass
blocking methods on improperly signed software this could eventually lead to
developers being ransomed, “pay us big money or we will revoke your
certificate”. This is not the only incident like this.

~~~
gruez
>this could eventually lead to developers being ransomed, “pay us big money or
we will revoke your certificate”

by whom? the platform makers (apple/microsoft) or malicious third parties?

~~~
izacus
Both. We've seen third parties do this on Windows and Apple themselves use
this to punish developers who dared criticize them.

~~~
Karunamon
Where and when did Microsoft or Apple yank someone's developer cert for the
sole reason of criticism? An accusation that serious needs to be
substantiated.

------
ikeboy
Not a lawyer but I suspect there's a viable tortious interference claim.
Revocation is effectively telling your customers that your product is unsafe,
if done without cause it could be actionable.

~~~
gruez
>Revocation is effectively telling your customers that your product is unsafe

...or that the certificate was no longer in compliance with their Certificate
Practice Statement. It looks like their CPS gives them a great deal of leeway
here. [https://sectigo.com/uploads/files/Sectigo-
CPS-v5.2.pdf#page=...](https://sectigo.com/uploads/files/Sectigo-
CPS-v5.2.pdf#page=50)

~~~
ikeboy
The main clauses either require a reasonable belief, which is a factual
question that could easily go against the CA, or says they need to be
"identified" as publishers of malicious software, without specifying how. An
antivirus site that has many false positives likely wouldn't qualify.

------
gruez
The CA in question is CN = Sectigo RSA Code Signing CA

~~~
garaetjjte
...previously known as Comodo. Did their reputation was so bad that they had
to rebrand?

[https://sectigo.com/resource-library/comodo-ca-is-now-
sectig...](https://sectigo.com/resource-library/comodo-ca-is-now-sectigo)

~~~
sedatk
Yes they've been pretty much terrible.
[https://www.techdirt.com/articles/20160623/17483934805/super...](https://www.techdirt.com/articles/20160623/17483934805/super-
slimey-comodo-tries-to-trademark-lets-encrypt-updated.shtml)

~~~
dependenttypes
They also used to have fake reviews in their website.

------
breakfastduck
I know the authorities need to err on the side of caution, but it's quite
astonishing to me that someone at the authority didn't just say 'It's
WinRAR...' and let it slide.

It's got to be one of the most well known tools in the entire windows
ecosystem.

~~~
LorenPechtel
If it were just the file not being clean on Virustotal I would fully agree.
Heuristic detection will result in false positives. However, if they had an
actual example of malware signed by that key that would indicate a compromise
and that would justify pulling it. The absence of the offending file is
suspicious, though.

~~~
luckylion
If they had an example, they would've never deleted it though. I mean, that
part is so unprofessional, it's rude to believe are that incompetent, the
polite explanation is that they lied about it.

------
cosmotic
The winrar trial has ads in it that try to load activex controls using
embedded IE webview; an obvious security concern. I reported it and they
suggested I enable activex.

------
MarekKnapek
At my previous job we released updates to our Windows desktop application
about 3-4 times per year. We had about 20'000 customers (but many of them not
installing updates). We checked final build of our product on Virus Total
before release and e-mail the various anti virus companies about the false
positives. Thankfully, I wasn't the guy doing this work.

~~~
pilif
Unfortunately that doesn’t really help. We update an application about once a
year but we get false positive alerts even months after AV programs have
previously not complained about a binary.

What’s worse is that not all AV vendors on Virus Total have an easy way to
submit a false positive report and of those that do, the majority believes
getting a false positive report to be an opt-in into their marketing mailing
lists.

I absolutely hate my about quarterly task of going from a name of an AV engine
on Virus Total who suddenly decided that our binary which hasn’t changed on
months must be infected to finding the actual submit-a-false-positive page to
then writing the report and then unsubscribing from their mailing list I
inevitably end up on

~~~
account42
How is what these virus companies are doing not defamation? Are there any
legal options you have when this happens to you?

And VirusTotal bears a large responsibility for this too - not only do they
not make it easy to find contacts for the various anti virus engines as you
have pointed out (while disavowing themselves of any responsibility), they
will highlight a "Generic" AI bullshit detection from some random company in
the same way as verified malware.

------
batch12
Weird. Though there would be value in working with the vendors backing VT to
get this fixed as this is just one of the issues with a false positive.
Another is that users who use these products are probably alerted or otherwise
prevented from using WinRAR too.

VT has it as malicious with the new hash too [1] .

Antiy-AVL calls it Win32.Shelma. Only good definition that seems to match that
detection is from Kaspersky [2] stating that the 64 bit version is detected as
using metasploit [3] components.

[1]
[https://www.virustotal.com/gui/file/21dd688a5371f5b0d297a307...](https://www.virustotal.com/gui/file/21dd688a5371f5b0d297a307fc6f04295f9303bc6864779bde88d5f6ae9f9112/detection)

[2]
[https://threats.kaspersky.com/en/threat/Trojan.Win64.Shelma/](https://threats.kaspersky.com/en/threat/Trojan.Win64.Shelma/)

[3] [https://www.metasploit.com/](https://www.metasploit.com/)

edited: formatting

------
Santosh83
It is particularly ironic that so many people in this thread are recommending
7-zip in response to a cert problem with WinRAR when 7-zip has no code signing
at all and presents the scary yellow "unknown software" screen when you try to
install it.

~~~
GuB-42
I didn't even realize that the "scary" yellow prompt was related to code
signing. For me it was just what happens when you run an executable from the
internet.

Do anyone pays attention to this? There is a lot of legitimate software you
can't install without clicking through. 7-zip is just one of them.

~~~
stefan_
Just code signing your application isn't enough, it needs to get enough
reputation from enough Windows spyware bots reporting they installed your
program:

[https://www.digicert.com/blog/ms-smartscreen-application-
rep...](https://www.digicert.com/blog/ms-smartscreen-application-
reputation/#:~:text=Application%20reputation%20is%20a%20method,is%20downloaded%20from%20the%20Internet).

------
monoideism
They should really name the CA. It's quite common for 1 of the 60 tests on
virustotal.com to turn up a false positive.

~~~
RachelF
It is a huge hassle in PC software development.

Even if you sign your exe and build package, you have a 50% chance of being
detected as a virus by some "heuristic" AV engine (looking at you, Norton and
Kaspersky).

Basically, the heuristic is anything new = suspicious.

------
Jerry2
Anyone know which CA did this? I'd like to add it to my list of 'entities to
avoid doing business with'.

~~~
ifmpx
Can you share that list? We need a ublock origin for shitty companies.

------
tgsovlerkhgsel
The post has now been removed from the web site. Archive.org has a copy:
[https://web.archive.org/web/20200826113615/https://www.rarla...](https://web.archive.org/web/20200826113615/https://www.rarlab.com/revoked591.html)

Unfortunately, I can't find any update/conclusion.

However, I did find [https://sectigo.com/resource-library/the-what-when-and-
why-o...](https://sectigo.com/resource-library/the-what-when-and-why-of-
revoking-certificate-signed-malware), where Sectigo (the CA that presumably
revoked the certificate, formerly also known as Comodo) mentions a previous
incident, confirms that they didn't notify the certificate owner in that
incident, and promises to "review" their practices. Given that RARLAB wrote
"We had not received any notification, neither before nor after the
revocation", I suspect Sectigo didn't improve.

------
Causality1
I wish Winrar licensing worked differently. If I could buy a license and get a
permanent key to save to my email or a text file I'd gladly spend the $20, but
buying a separate license for every computer is just too much mental labor to
keep up with when it works fine for free.

------
_jal
Who was the CA with whom they had this difference of opinion?

~~~
sedatk
[https://news.ycombinator.com/item?id=24284425](https://news.ycombinator.com/item?id=24284425)

~~~
_jal
Thank you.

------
black3r
Do people still use WinRar? :O

~~~
Arnavion
Yes. People who don't know any better alternatives continue to use it, and
continue to recommend it to other people. So the cycle continues.

Heck, WinZip still makes new releases so I'm sure people still use that too.

~~~
AlexandrB
> People who don't know any better alternatives continue to use it

Genuine question: what are the better alternatives?

~~~
theandrewbailey
Peazip: [https://peazip.github.io/](https://peazip.github.io/)

I used to use 7zip, but switched when I discovered that Peazip doesn't extract
to a temporary directory when extracting (thus, saving extra I/O work). It
directly extracts into the target directory.

~~~
WayToDoor
Is a file move that big of an IO operation?

~~~
vore
I run into the issue sometimes cross-volume, where the file gets extracted
into a temporary directory then has to be copied to the actual destination,
into e.g. a network volume or second hard disk.

