How Many Will Be Affected By The EdgeSight Timebomb?
|
by Nicholas Dille on 03/12/2010 | 4 Comments | 4,309 Views
|
I hope it is commonly known by now that EdgeSight 5.0 and 5.1 will stop working on 25th of March 2010. That's merely two weeks away! In my opinion, the warning Citrix has published does not suffice for an issue of such effect.
Code Signing is Important
In the last years, the signing the executables and libraries in a product has become common practice. This process protects the product from unauthorized tampering as any changes to a signed file can be detected by the signature becoming invalid. Consequently, code signing is an important protection against malware.
But the certificate protecting the signed code has a limited lifetime. As soon as the corresponding certificate expires, the signature cannot be considered to be valid as the vendor lost the credibility represented by the certificate. Usually, a vendor obtains a new certificate with a new lifetime and renews the signatures on the affected binaries. This is implemented by providing a hotfix of some kind for the product.
The Issue at Hand
EdgeSight 5.0 and 5.1 are currently suffering from the case described above - the certificate used for signing the code expires on the 25th of March 2010 (see this support article). Therefore, customers are forced to update to the latest versions (5.1.1 or 5.2.x). Unfortunately, this situation is hardly common knowledge so that I expect many angry calls to be logged with Citrix Support at the end of this month.
The Real Issue and my Plea
In my opinion, Citrix can hardly be blamed for the lifetime of a certificate - that's just how they work. But I would have expected a proactive warning for customers. The articles in the Citrix knowledge base are of a rather informational nature and a warning can easily be overlooked. Especially, when the title (EdgeSight 5.0 and 5.1 Error: The archive is not appropriately signed) does not clearly state the effect of this message.
If a components suddenly stops functioning, direct communication is necessary. Publishing an article in the knowledge base does not suffice because many customers do not pay attention to these pages. And even if they did, the title needs to be descriptive in order to grasp the importance.
Side Note
Citrix offers a product lifecycle information which lists EdgeSight 5.0 and 5.1 to reach end of life on the 25th of March 2010.
- ‹ previous
- 70 of 106
- next ›
+++ Your opportunity +++ Use Profile Migrator 2, the new sepago product that makes migrating user personalities between different platforms a breeze.! Download your free version now!
4 responses for "How Many Will Be Affected By The EdgeSight Timebomb?" |
Add Comment
Recent Articles
About the author
  |
Nicholas Dille Head of Technology and Innovation Blogs about Centralized computing, virtualization and performance monitoring |
Most viewed
| 18,538 Views |
Who Needs Aero Glass Remoting? Although It's Cool! |
| 15,794 Views |
Emulating a Redirecting Load Balancer for WI and PNA |
| 14,348 Views |
Building Custom EdgeSight Reports Part 4 - The Wedding |
I don't know much about the
I don't know much about the exact type of certificates used in this code signing, but generally speaking, certificates can be made to not expire at all.
Second, even if a certificate's lifetime expires, the signature on the signed code can still be verified - again speaking theoretically. That's why web browsers usually let you view SSL-protected websites even if the certificate expired, but you tend to have to confirm that that is what you want.
I'm not entirely sure how exactly they signed their code, but just knowing that there was an expired certificate involved makes it look to me as if things could easily have been designed with more usability in mind.
Jens, unfortunately, X.501
Jens,
unfortunately, X.501 certificates must contain a lifetime. When the CSR (certificate signing request) is processed by the CA, it automatically adds a lifetime although it may be valid for several years.
In my opinion, browsers are broken by design if they permit users to visit SSL-protected sites because John Doe does not have a clue what a certificate warning means. Therefore, he will decide to visit the site anyway. Only IT pros know how to decide whether the warning is a false-positive.
You are correct that a signature remains valid (as it does not have a lifetime) after the corresponding certificate has expired. But most systems prevent a certificate to be used for validating a signature after it has expired. I think it is highly questionable to validate a signature with an expired certificate. The CA has assigned a life time for a reason: the certificate subject is required to renew the certificate and assure that the identity is still valid. Apart from the fact that it is the CA's business to have customers pay for renewals ;-)
I fear the design is valid but the vendor's (Citrix') reaction was inadequate.
Read you around ;-)
Nic
As soon as the corresponding
As soon as the corresponding certificate expires, the signature cannot be considered to be valid as the vendor lost the credibility represented by the certificate. Usually, a vendor obtains a new certificate with a new lifetime and renews the signatures on the affected binaries. This is implemented by providing a hotfix of some kind for the product
Code Signing is Important.
Code Signing is Important. Totally agree.