Years ago, signing code with a digital signature and certificates was an ironclad way to insure confidence in software and websites. It instilled trust that code and internet properties were legitimately from the stated provider. Over time it has earned respect to become a foundational aspect when evaluating the security risks of installing software, updates, and traversing the web. That time of trust may be slipping away. Signing, when done correctly, is still a very good security measure, but it no longer holds the mystique of invulnerability. In fact, digital signatures and certificates are under serious attack.
Certificates can be stolen, spoofed, and hijacked. It is not easy, but as the graph shows below, it is not impossible either. The total number of maliciously signed code has skyrocketed since 2011. According to McAfee's Q1 2012 Threat Report "This quarter more than 200,000 new and unique malware binaries have been found with valid digital signatures". McAfee speculated correctly in their 2012 threat prediction, painting the picture that attackers would abuse the trust associated with certificates, to the detriment of their intended targets. Now the data is in and proving their deductive prowess.
Source: McAfee Threat Report Q1 2012
In 2011 alone, a number of certificate authorities revealed digital certificates were fraudulently obtained. In one case a root certificate authority filed for bankruptcy after over 500 certificates were compromised, affecting sites such as Facebook, Microsoft, Skype, Twitter, and WordPress. Maliciously appropriated certificates have tremendous value and can be sold on the black market. They can end up in the wrong hands and have widespread affects. Infamous malware Stuxnet, Duqu, and Flame all used these techniques to propagate.
We must not forget security technology is time-limited. All controls can and will eventually be undermined. Digital signatures and certificates must adapt and get stronger or suffer the fate of withering and ultimately be replaced by the next generation of controls.
McAfee 2012 Threat Predictions report http://www.mcafee.com/us/resources/reports/rp-threat-predictions-2012.pdf
McAfee Threats Report: First Quarter 2012 http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2012.pdf
Security Predictions for 2012 and Beyond http://communities.intel.com/community/openportit/blog/2011/12/29/security-predictions-for-2012-and-beyond