Security Now 1060: "3-Day Certificates – The Rise of AI Programming"
Date: January 14, 2026
Hosts: Steve Gibson & Leo Laporte
Podcast: Security Now (TWiT Network)
Episode Overview
This episode dives into the fast-evolving landscape of code signing (including the controversy over ultra-short "3-day certificates"), the surging costs and complexity for developers, a look at new state privacy legislation, and the revolutionary impact AI coding assistants—especially Claude Code—are having on programming. The hosts share personal stories ranging from recent phishing attacks to hands-on AI demos, discuss listener feedback, and provide detailed insights for both security pros and the broader tech community.
Key Discussion Points & Insights
1. Personal Phishing Lessons ([01:17] – [07:49])
- Steve recounts being successfully phished early in the morning by a fake T-Mobile offer, costing him the hassle of canceling multiple credit cards.
- The phishing scam was sophisticated, mimicking real T-Mobile promotional texts.
- The attackers requested credit card details under the guise of paying $0.99 shipping and proceeded to quickly use the info for fraudulent purchases.
Steve [04:21]: "Before I went, wait a minute, hold on there, buddy. ... Fortunately, the first credit card was an Apple credit card, which Apple... it's done. The other two, I had to say to the bank, I need a new credit card."
Leo [06:41]: "I’m tempted to never tell anybody this happened, but on this show especially, I think it’s important to say this because we’re all vulnerable."
- Takeaway: Even security experts are susceptible when distracted; legitimate businesses sending promotional texts set users up for phishers.
2. Listener Feedback Shows Huge Interest in Code Signing ([07:49] – [15:35])
- Following a previous deep dive on code signing, enterprises and developers bombarded the show with questions and concerns about new certificate requirements, especially the move to short-lived certs and substantial price hikes.
- Code signing, once a simple process, has grown increasingly complex and expensive, and is now effectively mandatory for many distribution platforms.
3. The Real-World Pain of Microsoft's Azure Trusted Signing – Blog Review ([15:35] – [36:21])
- Steve reads and discusses at length a blog post by Rick Strahl, who details the arduous process of setting up Microsoft’s Azure Code Signing with 3-day certificates.
- Certificates are now only valid for short periods (as little as 3 days), rotating to limit exposure if compromised.
- Tools, documentation, and setup in Azure are complex—even for experienced technologists.
- Microsoft’s pricing is lower than most traditional SSL providers: e.g., $9.99/month for 5,000 signatures.
- Despite frustrations, “it works, warts and all,” but there’s a clear sense the process is driven by gatekeeping and revenue, not pure security.
Rick Strahl (cited by Steve) [34:41]: "At the end of the day, the process works, warts and all. Microsoft's comparatively lower pricing... maybe makes it worth it."
Notable Quote from Reader Feedback:
"Now we deal with artificial gatekeeping, auditing, roadblocks, deprecations for seemingly no productive reason. What happened to the joy of being excited that it all worked? ... get off my lawn."
- Steve's Pro Tip: If you still can, get a multi-year certificate (up to 39 months) from discount providers like FastSSL before stricter requirements kick in (~[36:21]).
4. Modern Code Signing: Broken Promises and Crushed Developers ([39:20] – [41:38])
- Discussion on how security controls like code signing, intended to prevent malware, are easily subverted as attackers get their own certificates—even state-sponsored actors.
- The "last 5%" of protection brings crushing bureaucracy and overhead for legitimate users.
Leo [40:15]: "Trying to fix the last 5% is creating 95% overhead."
Steve [41:38]: "Sometimes you end up being your own worst enemy... You're gonna fail. Even goodware has bugs."
5. California's New Data Broker Law: Global Data Deletion Platform "DROP" ([44:41] – [70:47])
- California’s DROP (Delete, Request and Opt-Out Platform):
- Allows residents to request ALL registered data brokers delete their info via a single form.
- Requires detailed ID verification and submission of personal details, which is both necessary and counterintuitive.
- Rollout and enforcement begins in August 2026; users will be able to track deletion status across all brokers (~[64:11]).
- Only about 1% of Californians had used the prior, more laborious “one-by-one” process.
Leo [53:07]: “It explains that everything I provide will be forwarded to data brokers and the more I provide, the better job they’ll do of scrubbing me from their systems.”
Steve [64:15]: "Once this happens, the ring chart has categories... I'll be very interested in seeing both the deleted and the record not found counts."
- Caveat:
- Slight skepticism remains, as platitudes abound and moneyed interests may blunt the law's impact. Only CA residents benefit for now.
6. AI Hallucinations and the Idaho "What a Bod" Fiasco ([76:47] – [77:22])
- AI botched a National Weather Service map, inventing two Idaho towns: "Orange O Tilled" and "What a Bod".
- Quick meme fodder, and a cautionary tale about the perils of letting AI-generated content go unchecked.
Leo [77:12]: "'Orange O Tilled and what a bod.' The wind weather forecast map... depicted those non-existent towns."
7. Email Client Misadventures – iOS Bug, eM Client Triumph ([77:33] – [88:44])
- Steve detailed a months-long debugging saga where his home-brew email server kept crashing due to buggy IMAP behavior by iOS devices. Switching to the free eM Client app for iOS solved it, and eM Client also offers a seamless setup with QR code cloning.
- Quick tip: The free eM Client app is now Steve’s favorite for both desktop and mobile.
Steve [87:25]: "Whether or not you are running eM Client on your desktop, the 100% free eM Client for iOS or Android is truly lovely."
8. The Rise of AI Programming: Claude Code Demo & Tutorial ([92:01] – [114:34])
a. The AI Coding Revolution – Steve & Leo's Experiences
- The hosts agree: the AI coding assistants have hit a transformative inflection point.
- Claude Code (Anthropic) is currently outshining the field: free tier, $20 paid plan (suits almost everyone), large context windows (memory), and straightforward, effective coding help.
- For example, Leo and listeners like Al Liebel have used Claude to build entire applications, debug, and orchestrate multi-platform projects, with Claude handling everything from syntax to GitHub Actions, cross-platform binaries, and even responding to feature requests—instantly.
Leo [103:13]: "I just added a massive feature that I could never have added in five minutes... I have a terminal-based RSS reader that does exactly what I want—and Claude Code wrote it."
Steve [103:50]: "It's really an accelerant... It allows an expert to just run much more quickly."
b. Beginner and Non-Coder Entry Points
- Steve highlights "Build with Andrew"—a free 30-minute course (created by DeepLearning.ai’s Andrew Ng) designed to help non-coders get started building apps with AI coding assistants.
- Shortcut: grc.sc/andrew
- Other low-code/no-code AI tooling from Google (like Opal for Gemini) also get a mention.
c. Meta Insight: The Future of Software Is “Personal-Scale”
- AI will take over boilerplate code; humans become architects or specialty refiners.
- Everyone, even non-experts, will soon have the tools to create custom software to fit their needs—fulfilling the dream of truly user-directed computing.
Leo [139:12]: "The brilliance of Bricklin’s spreadsheet was that it was a programming language... Now imagine, with AI, everyone can build their own custom tools."
9. Listener Feedback – Code Signing Woes & The CA Cartel ([115:16] – [139:07])
- Many listeners wrote in about insane new costs, cloud lock-in, and per-signature fees for code signing certs. IT policies and licensing models often further complicate using hardware keys or cloud-based solutions.
- One listener reports their company pays $264 per 1,000 signatures, must buy in advance, and gets no refunds.
Listener TJ Asher [115:16]: "The Certificate authority group has the entire software industry over a barrel and there is not we can do about it."
- Newcomers can break into the cert authority space, as Let’s Encrypt proved using bootstrapped trust, but it’s a years-long effort.
10. What’s Really Up With “3-Day Certificates”?—How Short-Lived Certs and Timestamps Work ([141:08] – [158:44])
a. TLS vs Code Signing Certificates
- TLS Certs: Used in real-time, must be valid at the time of connection.
- Code Signing Certs: Only need to be valid at the time of signing, not afterward.
b. The Key: The Timestamp Authority (TSA) Process
- After code is signed, the signature is stamped by a trusted 3rd party, creating an immutable record of when it was signed.
- That means you can use a short-lived code signing cert (even 3 days) safely—as long as the signed code gets a timestamp proving it was done while the cert was valid.
- The end result: Users and systems always know who signed the code, and when, with immutable proof, even decades later.
Steve [146:42]: “The only requirement is that the certificate is valid at the time of its use. ... For code signing, that means at the moment the code is signed.”
- The recent Logitech debacle (expired Mac certificate broke their software) may have resulted from skipped timestamping or internal certificate mismanagement.
Notable Quotes & Moments
- Steve [04:21]: On getting phished: "Before I went, wait a minute, hold on there, buddy."
- Rick Strahl, via Steve [34:41]: "The process works, warts and all. Microsoft's lower pricing maybe makes it worth it."
- Leo [40:15]: “Trying to fix the last 5% is creating 95% overhead.”
- Steve [53:07]: On the CA Drop process: "Everything I provide will be forwarded to data brokers and the more I provide, the better job they'll do of scrubbing me from their systems."
- Leo [103:13]: "I just added a massive feature ... and Claude Code wrote it."
- Steve [146:42]: "For code signing, the only requirement is that the certificate used to sign the code be valid at the time the code is signed. Since all we're asserting is the identity and that nothing has changed since."
Timestamps for Important Segments
- Phishing Story and Lessons: [01:17] – [07:49]
- Azure Code Signing Blog Analysis: [15:35] – [36:21]
- Short-Lived Code Signing Certs vs. Traditional Certs: [141:08] – [158:44]
- DROP (CA Data Deletion Law) Analysis: [44:41] – [70:47]
- National Weather Service AI Blunder – "What a Bod": [76:47] – [77:22]
- AI Coding/Demo and Claude Code Deep Dive: [92:01] – [114:34]
Resources and Links
- Azure Trusted Signing Blog Post Shortcut: grc.sc/codesign
- Build with Andrew – Beginner's AI Coding Tutorial: grc.sc/andrew
- FastSSL Certificate Provider: cheapsslsecurity.com
- California DROP: consumer.drop.privacy.ca.gov
Key Takeaways
- The code signing process is getting costlier, more complex, and harder for all but the largest enterprises.
- Short-lived certificates (as little as 3 days) are feasible and secure if coupled with proper timestamping—this is how Microsoft and others provide "rotated" code signing services.
- AI coding assistants (especially Claude Code) have reached a tipping point: both pros and non-coders can now automate, build, and rapidly iterate on custom software, heralding a new era in programming.
- Data privacy and control are seeing minor victories (cf. CA’s DROP platform), but systemic transparency and user empowerment remain uphill battles.
For listeners:
If you write/run code—especially for public use—or care about AI’s impact on your field, this episode is a must. It’s also a powerful illustration of how even the most sophisticated security systems can be quickly exploited, and how the relentless pace of AI transformation is creating both opportunity and disruption in core technology workflows.