Security Now Episode 1065 Summary: "Attestation – Code Signing Gets Tough"
Date: February 18, 2026
Hosts: Steve Gibson and Leo Laporte
Episode Overview
This episode dives into the increasing complexity of code signing, certificate issuance, and attestation in the software industry, driven by the tightening security landscape and a surge in malware. Steve Gibson shares his recent, intricate experience securing a new code signing certificate amid new industry regulations, explaining the purpose and pitfalls of the latest certificate authority demands. Alongside, Steve and Leo dissect current cybersecurity topics: Chrome’s new device-bound session credentials, massive Chrome extension privacy breaches, Microsoft’s shifting approach to security, platform bot attacks, and worldwide moves to enforce stricter age verification on social media and apps.
Major Topics and Key Insights
1. Security in Password Managers (00:43–08:08)
- ETH Zurich & Italian Researchers' Report: A collaborative team published a deep-dive into the server-side security of major password managers: Dashlane, LastPass, Bitwarden.
- Key Finding: Even reputable password managers have edge-case vulnerabilities, especially if attackers gain full server control and force protocol downgrades.
- Impact: Issues require multiple unlikely steps to exploit and generally only affect users with weak passwords or outdated cryptography.
- Community Response: Bitwarden’s open source nature eased researchers' efforts and led to rapid fixes.
- Quote (Steve Gibson, 05:42): "These were like worst case, if a bad guy completely took over your server infrastructure, what could be learned?"
2. Web Architecture, Bot Overwhelm, and Site Scalability (16:22–27:50)
- Modern Web Bottlenecks: Servers now struggle less with bandwidth, more with backend computational load—dynamic content (vs. static) is CPU intensive.
- Super Bowl Example: AI.com went down from its commercial's traffic spike; heavy use of dynamic CMS overwhelmed servers.
- Static sites like GRC (assembled/optimized by Steve) suffer much less from such issues.
- Advice: Efficiency matters more than ever, especially when scaling or switching web platforms.
3. Microsoft’s Troubling Shift in Security Focus (28:02–39:16)
- Editorial from ‘Seriously Risky Business’:
- Microsoft appears to be deprioritizing product security in favor of selling security products.
- Leadership changes reflect this shift, and regulatory pressure has lessened (with U.S. Cyber Safety Review Board disbanded).
- Quote (Editorial, read by Steve, 29:16): "We fear Microsoft's goal now is not to make secure products so much as to sell security products."
- Long-term risk: Actual improvements in security are invisible; reductions become apparent only after the next major breach.
4. Chrome 145: Device-Bound Session Credentials (44:07–50:57)
- What’s New: Chrome 145 introduces “device bound session credentials”—a major advance in browser authentication.
- How it works: Session cookies are cryptographically bound to the originating device using secure hardware (e.g. TPM).
- Security Win: Stolen cookies can’t be reused elsewhere—dramatically reducing session hijack risks.
- Compatibility: Requires server and browser support; Mozilla and Safari are progressing in parallel.
- Quote (Steve, 44:07): "This innovation arranges to, for the first time ever, prevent anyone who might somehow obtain a session cookie from being able to use it themselves anywhere else. That’s huge."
5. Widespread Privacy Violations in Chrome Extensions (72:08–88:46)
- Multiple Reports:
- 30 malicious “AI assistant” extensions reached 260,000 Chrome users, funneling data via remote-controlled interfaces.
- Separate investigation found 287 extensions exfiltrating full browsing histories from 37.4 million users—about 1% of Chrome’s base.
- Technique: Extensions abused Chrome’s architecture to bypass review—behavior determined by external servers long after approval.
- Quote (LayerX Report, read by Steve, 74:10): "Their architecture is incompatible with reasonable expectations of privacy and transparency."
- Advice: Only install extensions from trusted, well-established developers.
6. Age Verification Trends & Discord Backlash (51:24–61:50)
- Global Legislative Moves: Countries (Kazakhstan, Moldova, Romania, etc.) are banning underage social accounts, pushing for robust age verifications.
- Discord’s Update: Discord sparked panic by switching all accounts to “underage by default” unless proof is submitted.
- Clarification: Most users will not need to upload ID unless seeking access to adult content or features.
- Privacy Concerns: Some third-party age verification providers have breached the promise to delete sensitive ID data.
- Quote (Discord Statement, 55:26): "Discord only receives your age. That’s it. Your identity is never associated with your account."
7. Other Security Headlines
- Outlook Malicious Add-In (88:48–97:26): First exploited Outlook add-in resulted in over 4,000 stolen credentials. Attackers claimed a defunct developer’s domain, highlighting risks from abandoned software infrastructure.
- Quote (Coy Security report, read by Steve, 89:16): "This is the story of how a dead side project became a phishing weapon."
- WinRAR Exploit Reminder (61:50–67:52): Google discovered active exploitation of a critical path traversal bug; checks find 80%+ environments still running vulnerable versions.
- Paragon’s Graphite Spyware (72:08–88:46): Leaked photos show its real interface can tap instant messaging on infected devices—another illustration of why device security is paramount.
Spotlight Segment: Code Signing and the New Attestation Era (114:03–155:12)
Background & Current Changes
- Certificate Lifespans Cut: CA/B Forum mandates are reducing maximum validity of TLS/SSL certificates from ~1 year to 6 months; code signing certificates drop from 3 years to 1.
- Increased Verification: Cert renewal no longer simply tests domain control; requires full attestation, often by a licensed lawyer or CPA, to tie code to a real organization and identity.
Steve’s Attestation Adventure (123:00–141:46)
- Process:
- Orders 3-year code signing certificate from IdenTrust, avoiding more expensive Digicert plans.
- Receives attestation letter requirement: must get a "wet-ink" signature from an independent, licensed CPA or attorney who affirms knowledge of Steve and GRC’s legitimacy.
- After some paperwork, physical mailing, and phone verification with his CPA, IdenTrust finally issues the certificate.
- Industry Impact:
- These requirements are meant to prevent bad actors from getting code signing certificates but have a massive overhead and cost for legitimate developers.
- Quote (Steve, 144:22): "I'm somewhat surprised that I was accepted by IdenTrust without first agreeing to a full body cavity search…"
Analysis: What Does Attestation Actually Solve?
- Goal: Slow the large-scale abuse of code signing certs by raising the bar for identity proof, making it harder for malware authors to spoof organizations.
- Limitation: Despite robust attestation, attackers can still infiltrate the supply chain or exploit poor validation processes.
- Broader Issue: These increasingly burdensome procedures may drive small developers away or simply raise costs, with only moderate actual impact on advanced threat actors.
Notable Quotes & Moments
| Timestamp | Quote / Moment | Speaker | |-------------|----------------|---------| | 05:42 | “These were… worst case, if a bad guy completely took over your server infrastructure…” | Steve | | 29:16 | “We fear Microsoft's goal now is not to make secure products so much as to sell security products.” | Editorial (read by Steve) | | 44:07 | "Device bound session credentials... to, for the first time ever, prevent anyone who might… obtain a session cookie from being able to use it themselves anywhere else. That's huge." | Steve | | 74:10 | “Their architecture is incompatible with reasonable expectations of privacy and transparency.” | LayerX report via Steve | | 89:16 | “This is the story of how a dead side project became a phishing weapon.” | COY Security report | | 114:03 | “...the privilege of adding a cryptographic signature to my code as the only available means of proving my identity as my code’s signer.” | Steve | | 144:22 | “I'm somewhat surprised that I was accepted by IDENT Trust without first agreeing to a full body cavity search…” | Steve |
Timestamps for Key Segments
- 00:43 — Password manager research & server-side attacks
- 16:22 — Picture of the Week (security camera hack) & modern web server efficiency
- 28:02 — Microsoft and the shifting focus away from security-first culture
- 39:16 — Windows 11 26H1 and naming confusion
- 44:07 — Chrome 145 and device bound session credentials (cookies)
- 51:24 — Age restrictions on social media; Discord case
- 61:50 — WinRAR vulnerability exploit widespread
- 72:08 — Paragon Graphite spyware capability; malicious Chrome extensions
- 88:48 — Outlook malicious add-in attack vector
- 100:28 — AI-vibe coding and concerns with AI-generated code
- 114:03 — Main segment: Attestation, code signing, and Steve’s struggle
- 152:11 — Discussion: Is there a better way? The authentication problem
Overall Tone
Conversational, candid, and laced with Steve Gibson’s signature blend of technical detail and wry humor. The episode is rich in practical advice for security professionals while not shying away from criticizing industry trends that make life harder for the “good guys.” Steve and Leo keep the tone both informative and engaging—even as the material delves deep into certificate authority bureaucracy.
Conclusion
Episode 1065 provides a deep, real-world glimpse into the mounting regulatory burdens and costs being imposed on developers in the name of security. Steve’s firsthand account of navigating code signing attestation crystallizes a broader trend—security requirements are rapidly evolving, but often at a steep price in time, money, and developer empowerment. The hosts balance this with sharp analysis of news highlights, practical advice, and a humorous touch, making this an essential episode for anyone involved in software security or development.