Security Now 1065: Attestation
Podcast: All TWiT.tv Shows (Audio)
Episode: Security Now 1065
Date: February 18, 2026
Host: Leo Laporte
Guest: Steve Gibson
Overview
This episode’s central theme is attestation, especially as it relates to upcoming, industry-wide changes in how identity and authority are proven in digital certificate issuance—affecting both TLS and code signing certificates. Steve Gibson shares first-hand experience navigating these regulatory changes, providing listeners with a look into the burdensome state of code signing, why it’s necessary, and the industry’s attempts to stem malicious abuse. The show also covers major developments and concerns in browser extension privacy, Chrome’s new device-bound session credentials, tech sector security culture shifts, and a host of current cybersecurity news items.
Key Discussion Points & Insights
1. Password Manager Security Research (00:46–07:55)
- Recent paper from ETH Zurich and Italian researchers reviewed server-side (cloud) vulnerabilities in leading password managers: LastPass, Bitwarden, Dashlane.
- Despite initial concern, Steve reassures listeners there’s “no hair on fire”:
“...these were like worst case, if a bad guy completely took over your server infrastructure, what could be learned?” (05:37)
- Findings:
- Real vulnerabilities, but they require significant attacker access.
- Bitwarden benefited from being open source:
“...the job of the security researchers was far more enabled because...they’re wide open.” (04:18)
- Some vendors (like Dashlane) lagged in updating cryptographic standards for backward compatibility—potentially risky.
- Full deep dive coming next week.
2. Chrome 145 & Device Bound Session Credentials (44:07–51:12)
- Chrome 145 released – major security update.
- Headline feature: Device Bound Session Credentials
- Binds session tokens/cookies to the hardware device, so even if cookies are stolen, they're useless elsewhere.
- Requires a Secure Enclave/TPM (now standard in modern devices).
- Significant step in securing web authentication, especially against session hijacking and enterprise interception.
- Implementation also requires major changes on the web server side.
- Already (or soon) available in Firefox and Safari.
- Steve flagged their earlier [April 2025 episode, #1021] for technical details.
Quote:
“This innovation arranges to, for the first time ever, prevent anyone who might somehow arrange to obtain a session cookie from being able to use it themselves anywhere else. That’s huge.” (44:54 - Steve Gibson)
3. Security News Roundup
a. Microsoft’s Changing Security Posture (28:02–39:05)
- Commentary on Microsoft’s downswing in security focus:
- Key exec (Charlie Bell) replaced with a more sales/marketing-focused role.
- Security only prioritized under government/regulatory pressure.
- Shift now toward selling security products, not making products secure.
- Steve’s reflection:
“We always need all of the security we can possibly get...any sign of Microsoft slacking off whatsoever on the security front should be taken very seriously.” (38:18)
b. WinRAR Vulnerability Exploitation (61:51–67:52)
- Google’s Threat Intelligence reports widespread, in-the-wild exploitation of a major WinRAR bug (pre-7.13).
- 80%+ environments still run vulnerable versions.
- Urgent: Update WinRAR to 7.13 or later.
- Quote:
“I was still using 7.12 which contained the vulnerability...I decided that given that the threat has moved as it was from theoretical to now real and live, I ought to remind all WinRAR users..." (61:51)
c. Chrome Extension Privacy Breaches
- 30 fake AI extensions discovered (Aff. 260,000 users) acting as surveillance platforms, tunneling private browser data.
- 287 extensions (~37.4 million users) caught secretly exfiltrating browsing history to data brokers—about 1% of Chrome’s user base.
- Browser extension security model is badly broken; users should only install from well-established, trusted names.
“Extensions that delegate core functionality to remote mutable infrastructure should be treated...as potential surveillance platforms.” (76:03 - LayerX research via Steve)
d. Paragon’s Graphite Spyware Capabilities (72:08–73:53)
- Photos from a demo day exposed Graphite’s full control over instant messaging apps.
- The real threat is at the device level, allowing spyware to exfiltrate decrypted content from the user’s screen.
e. Malicious Outlook Add-in & Domain Recovery Attacks (88:48–97:26)
- First known malicious MS Outlook Add-in discovered: attacker claimed a defunct developer’s URL, enabling phishing attacks via a previously trusted, abandoned add-in.
- Highlights a widespread platform risk regarding abandoned domains/URLs within trusted code and extensions.
4. Web Infrastructure & Modern Websites (16:22–28:00)
- Super Bowl ad for AI.com led to backend failure: bottleneck was server CPU, not network bandwidth.
- Modern dynamic websites (CMS-based) are processor-intensive; system choice and caching strategies matter for resilience.
- Example: Linux Mint and Patrick Delahanty both faced server overload due to bot/AI crawler spikes.
5. Age Restrictions & Attestation on Social Platforms (51:24–61:14)
- Increasing global trend to ban underage users from social media—laws tightening, often without parental override.
- Discord’s new policy to verify users’ age for access to adult content: most will not need to submit IDs, but it raises concerns about data retention and third-party trust in verification services.
6. Editorial: Code Generation and AI "Vibe Coding" (100:28–109:33)
- Steve on AI coding assistants:
- Useful for small tasks, but “vibe coding” risks subtle, undetected errors in larger projects.
- Emphasized importance of formal unit testing, code comprehension, and caution about black-box code generation.
-
“The most unnerving aspect of Vibe coding...is the idea that a bunch of code has been cast, which may do what I want and expect, but it also may not.” (101:10 - Steve Gibson)
Main Feature: Attestation and Code Signing in 2026 (114:03–154:47)
Background
- Starting February 24, 2026, maximum lifetime for TLS certificates drops significantly (397→199 days).
- For code signing certificates, max duration also dropping from 3 years to 1 year.
- Validation requirements have dramatically increased, including annual re-attestation for OV (Organization Validation) certificates.
Steve’s Personal Experience
- Recounts process of renewing GRC’s certificates (TLS and code signing), aiming to get longest possible validity before new rules.
- Discovers for code signing certificates:
- Now requires a formal attestation letter from a licensed attorney or CPA, verifying the company (and, for new corps, the actual individual).
- The process is bureaucratic, involving in-person credential checks, notarized documents, and confirmation calls.
- Cost inflation: Example—remaining with DigiCert would rise steeply; Steve found IdentTrust provided a cheaper, 3-year cert and explained his entire step-by-step experience (including needing to coordinate with his CPA for the attestation).
The Reason for All This
- Rise in malware and supply chain attacks; bad actors spoof organizations to get legitimate code signing certs.
- Higher attestation is now required—placing reputations of lawyers or accountants on the line “anchors” the system.
- Attestation slows down and increases the cost/barriers, presumably to frustrate fraudsters.
Quote:
“The blockade...has created huge pressure to spoof corporate identities...Fraudulent code signing certificates are a real problem. This explains why today it's the reputation of the signing certificate that matters, not just its existence.” (146:35 – Steve Gibson)
Critique
- Steve laments that the system, while necessary, is inconvenient and ripe for profiteering by CAs.
- Digicert and others are making it increasingly costly for legitimate developers.
- For individual developers: process is even harder, requiring in-person credentialing and documentation.
Memorable Moment:
“I’m somewhat surprised that I was accepted by Ident trust without first agreeing to a full body cavity search. Although I’m pretty sure that I would need a new CPA if that happened.” (144:26 – Steve Gibson)
Notable Quotes & Memorable Moments
-
On Password Managers:
“No one needs to like, fear that this means...they have to go back to a paper pad...” (07:29 – Steve Gibson)
-
On Chrome's Device Bound Credentials:
“It’s not your grandparents’ cookies. It’s a whole different technology to pull this off.” (50:50 – Steve Gibson)
-
On Microsoft's Security Culture:
“Microsoft's Devil May Care approach to security...came back to bite it.” (35:32 – Seriously Risky Business Editorial, via Steve)
-
On Authentication & The Future:
“Authentication is so hard. Maybe, you know, Sam Altman’s got the right idea with the orb, the Iris. Iris scanning orb...This is going to be an issue in the new world. How do you prove you are who you say you are?” (153:12 – Leo Laporte)
Timestamps for Important Segments
- Password Manager Security Study: 02:18–07:56
- Microsoft’s Security Posture: 28:00–39:05
- Chrome 145 Device-Bound Credentials: 44:07–51:12
- Extension Privacy Breaches: 72:08–88:48
- Malicious Outlook Add-in / Domain Recovery: 88:48–97:26
- AI Coding & Vibe Coding: 100:28–109:33
- Attestation, Code Signing, & Industry Changes: 114:03–154:47
Resources & Further Reading
- [ETH Zurich Password Manager Paper (Discussed Next Week)]
- Baseline Requirements for the Issuance and Management of Publicly Trusted Code Signing Certificates
- [April 2025 Security Now Episode (#1021): Device Bound Credentials Explained]
Language & Tone
The discussion is technical yet conversational, often wry and skeptical (“body cavity search” as a joke for bureaucratic excess), with a strong emphasis on practitioner experience and pragmatic risk. Steve is unsparing in his critique of industry inertia and profiteering, while also expressing respect for the technical necessity of these burdens.
Summary
This episode offers real-world insights into the state of attestation as it becomes the new normal in digital identity and certificate verification—demonstrating both the necessity for these measures in a threat-driven environment, and criticizing their burden and growing cost for legitimate software authors. Listeners are warned of rapidly approaching deadlines for renewals, given guidance on Chrome’s new security technology, and advised on maintaining caution with browser extensions and software supply chains. The episode is a must-listen for developers, system admins, and anyone with a stake in software trust chains.